Social Engineering Attacks

When people hear about cyber attacks in the media they think (DDoS) denial of service or ransomware attacks but one form of attack which does not get much media attention are social engineering attacks which involves manipulating humans not computers to obtain valuable information. You can program computers but you can not program humans.

A human is the weakest link in a companies cybersecurity defence, therefore, hackers target humans to obtain and access information which is known as social engineering.

What Is Social Engineering

Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme

Quote from https://en.wikipedia.org/wiki/Social_engineering_(security)

Types Of Social Engineering

1. Phishing

Phishing is the most common type of social engineering attack. The attacker creates a website based on a trusted company website and sends the link to people via emails or social media platforms. The person who receives the emails thinks the email is from the official, trusted company and clicks on the link to visit the website. When the person visits the website they are asked to submit personal information and credit card details to the fake website. The hackers collect the information and use the information for criminal purposes.

2. Spear Phishing

A social engineering technique known as Spear Phishing can be assumed as a subset of Phishing. Although a similar attack, it requires an extra effort from the hacker. They need to pay attention to the degree of uniqueness for the limited number of users they target. And the hard work pays off, the chances of users falling for the false emails are considerably higher in the case of spear phishing.

3. Vishing

Vishing is a scam to get people to call a free phone number and ask them to enter their details over the phone. The call will come from a bank or HRMC or another trusted company. They will ask you for personal information plus your bank or credit card details.

4. Baiting

This type of social engineering depends upon a victim taking the bait. The person dangling the bait wants to entice the person into taking action. A cybercriminal might leave a USB stick, loaded with malware, in a place where the person will see it. In addition, the criminal might label the device in a compelling way — “Confidential” or “Bonuses.”  The person who takes the bait will pick up the USB device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer

5. Quid pro quo

A Scammer may call the person pretending to be an IT support person. The person on the end of the phone line may hand over the login credentials to their computer, thinking they’re receiving technical support from the IT Support person. Once the scammer has the login details to the computer they can install malware or obtain the persons banking details,

Social Engineering Tips For Business

  1. Invest in training. Cybersecurity is not just about attacks on digital assets its also about attacks on human assets which you as a business have a lot less control over.
  2. Ensure you have a good Windows group policy in place to block USB devices been installed on business computers
  3. Ensure all post you receive at your business location which includes a digital device is reviewed by a member of your cybersecurity team.
  4. Put good email filters in place to filter out scam emails or emails with links included in them.
  5. Ensure you have the correct policies and procedures in place to help staff deal with a social engineering attack.
  6. Social engineers count on people to move quickly, without considering the possibility that a scammer may be behind the email, phone call, or face-to-face request on which they’re acting. If you stop to think about what they are asking for and whether it makes sense or seems a bit fishy, you may be more likely to not get scammed.
  7. If it sounds too good to be true it is a scam.
  8. Never give your credit or bank details to people over the phone or email. DONT NOT DO THIS EVER.
  9. Don’t open emails from untrusted sources.
  10. Always check the website address to make sure it’s from the official company.
  11. If your not sure about the person or company who is contacting you by email or the website they run to contact the company directly via phone for clarification before handing over personal information.
  12. If the person on the phone is probing you for information put the phone down and end the conversation.
  13. Don’t feel pressured into handing over information, again put the phone down if you feel pressured.
  14. Do not open the email if you do not trust where the email has come from.