Humans are social and inherently trusting beings. And cybercriminals know this, which is why social engineering attacks have become one of the easiest ways for them to launch a cyberattack. It’s also often easier for a cybercriminal to get past human defenses than past technological ones. Let’s closely examine what social engineering is, the types of social engineering to be aware of, and how to safeguard your organization.
What Is Social Engineering?
Social engineering occurs when a person is tricked into revealing sensitive or confidential information, such as passwords and financial information. These attacks also convince people to click on a website link or download attachments containing malware that will infect their computer and the company network.
Cybercriminals who use social engineering do extensive research on their intended victims before they launch an attack. This includes looking at company websites and LinkedIn profiles. They can then craft an email/text message that appears to be from a trusted source and looks legitimate to the person who receives it.
Types of Social Engineering Attacks
There are a few types of social engineering attacks to be aware of. These include:
- Phishing – A whopping 90% of social engineering attacks are phishing. The attacker poses as a trusted entity and sends an email, text, or chat that creates a sense of urgency to one or more people. They may also create a legitimate-looking fake website that convinces the target to type in their password or otherwise reveal confidential or sensitive information.
- Spear-phishing – Similar to phishing, spear-phishing attacks are highly targeted and appear to come from a trusted source close to the targeted individual. The communications are extremely personalized and difficult to detect.
- Whaling – This is a form of phishing that targets senior executives of a company to gain highly sensitive information.
- Pretexting – Another type of attack, like phishing, relies on the attacker creating a fictional scenario convincing enough to win the victim’s trust. This typically occurs over time, and the victim is tricked into revealing confidential information.
- Baiting – Similar to phishing, baiting is an attack where the target is offered something to entice them to click on a link or provide sensitive information. They might be offered something for free, such as movie downloads, music, or contest entry.
- Quid Pro Quo – Similar to baiting, the attacker offers a service, rather than a tangible item, in exchange for information.
- Tailgating – This is a physical form of social engineering where an unauthorized person, such as a delivery driver, follows someone with the proper authorization to a location to gain access.
How to Protect Against Social Engineering
It can be extremely difficult to detect and avoid social engineering attacks. This means that no matter how good your defenses are, one mistake by an employee can still result in a breach. The best way to minimize the risk of this happening is to educate your employees to:
- Avoid clicking on links in suspicious emails
- Call the sender to confirm the communication is legitimate
- Ensure all urgent requests are verified at the source
- Avoid leaving their device unattended and lock it when away from their workstation
- Ensure antivirus software is installed and up-to-date
In addition, create a culture that is always aware of the risk and make sure everyone knows that cybersecurity is everyone’s responsibility.
Contact Platinum Technologies today to find out how we can help you minimize your risk of falling victim to social engineering.