As with all forms of cyberattack, social engineering attacks are on the rise. Whether it’s through prolonged attempts to hack your IT infrastructure or the fortunes of luck, social engineering attacks are just as damaging as more commonly understood cyberattacks such as malware or viruses.
Social engineering differs from more well-known cyberattacks because the attack relies heavily on human interaction and tricking people into breaking normal security protocols. They rely on human psychology, our natural curiosity and our innate desire to help or to be nosey. One of the many examples we have seen over the years is when the attacker pretends to be a colleague, emailing to ask the recipient for help, and they then click on the attachments or a URL that infiltrates the user’s PC and wider network.
There are several different types of social engineering attack, all of which have different things to look out for:
- USB drops – this preys on our natural curiosity and is a far more focused attack than other forms of social engineering. The attacker leaves an infected piece of hardware – such as a USB drive or a CD – in a place it is likely to be picked up. The unlucky person who picks it up loads it onto their computer and the malware installs itself.
- Phishing – this is a larger risk to businesses than baiting, because the attacker can target multiple organisations in one go. The attacker sends fraudulent emails from a trusted source to the organisation, designed to trick them into sharing personal or financial information after opening the attachments or clicking a link. Most scams are identifiable because they purport to need personal identifiable information, use shortened or embedded links and amplify the urgency of the original message by putting pressure on the recipient to comply.
- Spear phishing – a more targeted attack than phishing, it’s tailored to lure specific individuals or companies into sharing personal information that the attacker can use, using the same techniques.
- Pretexting – attackers focus on creating an excellent pretext in order to steal personal information. A usual pretext attack takes the form of the attacker pretending that they need this information to confirm the recipient’s identity. Unlike phishing scams, which rely on a pressing sense of urgency, pretext scams lure the recipient into a sense of trust. The organisations that these attackers purport to be from are likely to be government agencies such as HMRC and Companies House, for example.
- Baiting – much like real-life fishing, baiting refers to the practice of promising an item or good that the attacker can use to entice the recipient – for example, free music or movie downloads in exchange for login credentials to certain sites. Now that many social media accounts have payment facilities within them, think twice about your personal data as well as your business accounts.
- Quid Pro Quo – quid pro quo attacks also offer a benefit in return for information. The attacker might cold call every direct number that belongs to a company that they can find, perhaps under the guise of being an IT professional. These attackers offer a quick fix to whatever problem the targeted person may be having, asking the employee to disable their antivirus programme and thus giving the hacker the chance to install malware under the guise of a software update. Needless to say, we aren’t fans of this particular hack…
Social engineering is growing in popularity by attackers because, as you can see, they prey on the most vulnerable asset that any business will have – its people. However, there are a number of things you can educate your workforce on today that will stand you in good stead, regardless of the nature of a particular attack:
- Do not open emails from untrusted sources! Contact a colleague or your IT department if you receive something you’re unsure of.
- If it seems too good to be true on the internet, it probably is. Do not give strangers the benefit of the doubt.
- Keep your antivirus software up-to-date. No software can circumvent our judgement calls, but it could prevent the issue from escalating.
- Promote the benefits of penetration testing within your organisation. You can’t be prepared for an attack if you don’t know how your organisation can be affected.
- Request IT security training. These attacks change form constantly, so keep your business aware of threats and appropriate responses.
If you are concerned about your company’s IT security or want to talk to someone about strengthening your digital defences, please get in touch today.