10 things to know about social engineering
Social engineering is a common technique that hackers use to influence and manipulate people, instead of using real technical hacking skills, to gain access to buildings, systems, or data.
Imagine, instead of a hacker trying to brute force their way into your network and taking over your systems, they simply call or email an unsuspecting employee and try to deceive them into giving up their passwords!
Even if you have the newest state of art firewalls and other security devices protecting your data and critical systems. Companies still have a human workforce that can be easily manipulated by social engineers. Employee training and ongoing programs like phishing simulations can be a great start to keeping employees aware and on alert for this cyber threat.
Here are 10 Things to Know About Social Engineering:
- Definition: Social engineering involves manipulating people into revealing confidential or sensitive data, such as passwords or financial data, or performing actions they wouldn't normally do, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.
- Psychological manipulation: Social engineers rely on human emotions, such as trust, fear, curiosity, or urgency, to manipulate their targets.
- Common techniques: Some common social engineering techniques include phishing emails (like spearphishing, whaling, smishing, read more about the differences here!), pretexting (creating a fabricated scenario to obtain information), baiting (leaving malware-infected devices or media for victims to find), tailgating (physically following an authorized person into a secure area), and
- Pretext: Social engineers often create a believable pretext or story to gain a victim's trust or cooperation, such as posing as a colleague, customer, or tech support.
- Information gathering: Attackers typically gather information about their targets from sources like social media, corporate websites, and even dumpster diving.
- Targets: Anyone can be a target of social engineering, including individuals, employees, organizations, and government agencies.
- Mitigation: Protecting against social engineering attacks requires security awareness training, strong authentication mechanisms, and a healthy level of skepticism when dealing with unsolicited requests for information.
- Common Indicators:
- Suspicious sender's address. The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
- Generic greetings and signature. Both a generic greeting—such as "Dear Valued Customer" or "Sir/Ma’am”. A trusted organization will normally address you by name and provide their contact information.
- Spoofed alias, hyperlinks, and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
- Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt.
- Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.
- Awareness: Building awareness about social engineering and its tactics is crucial. Regular training and education can help individuals and organizations recognize and respond to such attacks effectively.
- Reporting: Encourage a culture of reporting suspicious activities or potential social engineering attempts within your organization. Prompt reporting can help mitigate the impact of such attacks.