Contact Us

[contact-form-7 id="ceb4db8" title="Contact form 1"]

Client Login

Select a platform below to log in

TraceCSO
TraceInsight

What is Social Engineering?

Introduction

At the base of most cyberattacks, social engineering ends up being the main culprit. Social engineering is one of the most effective ways that bad actors are able to hack a company’s network, steal information, and install things like ransomware. There are many different types of social engineering that can be used to attack a business, so it’s important to be aware of all of them.

Not only are there many types, but they also change every day. This is especially true with the introduction of generative artificial intelligence, or GenAI. Combining all of these things, it can be very difficult to be completely immune to cyberattacks, but it is possible. It is crucial that all employees of a business are occasionally given security awareness training, considering the best defense against these malicious attacks is to be aware of them.

Social engineering works so well because human beings are easy to take advantage of. Human error is one of the biggest reasons for cyberattacks to succeed. Unfortunately, it is relatively easy to trick an employee to giving away information, depending on the skill of the bad actor doing the social engineering. That is why security awareness training is important.

What is Social Engineering?

Social engineering is a method that bad actors use to mislead and deceive employees of a company in order to steal information or to get into a company’s network. There are many different types of social engineering that can be done on the computer, on mobile devices, and even in-person. These can be distinguished between remote social engineering and on-site social engineering. Each method is different, but some of them share similarities with each other.

Remote Social Engineering

While being the more common type, remote social engineering is a type of attack that takes place outside of the building. The bad actor will use various attacks that they can use through email, mobile devices, and more.

Phishing

One of the most common attacks that is used is phishing. Phishing is a social engineering attack that employs the use of emails in order to get a person to click on a link or to share sensitive information. These emails can range from impersonations to cries for help. Using information readily available on the Internet or in company directories, bad actors will attempt to impersonate important people like officers or fellow employees.

If the bad actor has more in-depth information on the person they’re trying to impersonate, they can even appear as a friend or loved one. It can be difficult to distinguish these sometimes, but it’s important to double-check the senders to make sure they are who they say they are. If something seems strange, it’s probably a phishing email.

Vishing

Over the past few years, vishing has become more and more popular with hackers. Vishing is similar to phishing, but the attack is usually based around a voice call. Whether through a chat client or a phone, a bad actor will attempt to impersonate a fellow employee or an important person who deals with the business. Usually, these attacks are done with automated bot calls, but some are sophisticated enough to do them live.

These are becoming more difficult to distinguish because of generative AI, replicating voices at an alarming rate. Bad actors can use these programs and apps to sound like an important person, further tricking a person into thinking that the other person is a real employee. This has already happened in a few recent cyberattacks, especially with bad actors posing as IT professionals or bankers.

Smishing

Similar to the other two forms of phishing, smishing is the method of using a mobile device’s Short Message Service, or SMS text messaging, to send fraudulent messages to people. These text messages are very similar to emails, considering they will contain a call-to-action message of sorts. They will pose as someone you know, a coworker, or a boss, and ask for certain pieces of information or will want you to click on a link.

Even if you are on a mobile device or something that isn’t completely connected to a company network, a malicious link can still install scripts or programs on it. All it needs is a connection to the internet or mobile network and for you to allow it to be downloaded. If you allow it into your device, it can steal your data and even get into your business’s network once you connect to it.

Quishing

While a relatively new form of social engineering, quishing is essentially using a QR code to fool people into visiting malicious sites or downloading dangerous things onto their device. Many people are using QR codes these days, including business cards, commercials, and other advertisements. These codes can be very useful when it comes to delivering information or guiding potential customers to websites, but it can also be used by bad actors.

There have been plenty of times where people have seen a QR code and have scanned it without knowing, only to be led to a malicious website. If you don’t know what it is or where it leads, you probably shouldn’t scan it. Most devices won’t automatically lead you to where the QR code directs, though. It will let you know the website or data it wants to send, leaving you to accept it or not.

Onsite Social Engineering

On the other end of the spectrum, social engineering can also be performed at a business’s physical location. These can be much more concerning, considering you can come face-to-face with the bad actor trying to get into your company’s systems.

USB Drops

While not exactly a common method over the past few years, USB drops are still used today. Bad actors will sometimes install malicious programs or scripts onto a USB drive and leave them in a business’s parking lot or near its building. These flash drives may be labeled as “payroll” or some other enticing title, encouraging someone to plug it into their device.

Once the USB drive is plugged into the computer or mobile device, it passes any sort of permission and can immediately start installing malicious programs onto the device. It is an easy path for any bad actor that manages to trick a person into inserting the drive into their PC. Although it is somewhat uncommon, this method is still used by some hackers today.

Impersonations

One of the ways that bad actors try to get into a building’s restricted areas is to impersonate contractors, employees, or other various important people. Some may try to get in under the guise of an electrician, repair man, or even an IT person. They will provide information that they obtained from public areas like the Internet or even through previous phishing emails that may have occurred.

Some bad actors will even be able to provide contracts or ID badges that may look legitimate. It’s always important to verify these things, but they will try their hardest to get access to specific areas. The business should have policies and procedures on these things, like escorting non-employees around, but even then, they can snap quick photos and take papers that may be on desks.

Tailgating

Another method that a bad actor uses to get into a building is called tailgating. Whenever an employee is moving in and out of the restricted areas of the building, a bad actor may try to slip in behind the employee when they pass through. Even if the door is only accessible with a key, they may slip a hand or an object into the door so that it doesn’t close all the way.

With this method, a bad actor can easily get into an employee-only area of the business. Even being alone for a short time can prove detrimental to a business’s network and sensitive information. Not only can they simply steal papers and take photos, they can also get into files and other various things in employee desks or even their personal belongings.

Dumpster Diving

Disposing of documents and devices in a proper way is a very important thing for businesses to do. Paper waste is part of every business, which can contain anything from customer information to employee records. Because these papers may contain this sort of data, it’s crucial for the business to eliminate these documents either through shredding or disposal services. There are plenty of options to do this, but if it’s simply thrown away, it becomes a target for bad actors.

A dumpster may not seem like the best place for someone to dig into, but it can be a treasure trove for someone that wants to steal information or other things. If not thrown away properly, this is easy pickings for them. Documents are one thing, but some businesses have simply thrown away computers or printers, which can still hold important information and data.

Access Points

While it doesn’t have to be inside a business’s building, access points are another way that bad actors can get into a company’s network. These points include anything with an outward-facing IP address, having open access to outside connections. This can include WiFi, printers, and even fax machines. If these ports are not protected by firewalls or other various protections, a bad actor can easily get into the network through these options.

All they have to do is sit outside or nearby a business’s operating building and find the proper WiFi or device that they can connect to. Once they have connected, if proper security is missing, they can find their way deeper into networks, routers, and various systems. Even if the WiFi is for members or employees only, a bad actor can try to get information out of employees to get into these access points.

Preventing Social Engineering

Despite there being many different methods that bad actors use, there are plenty of ways to defend against it as well. Cybersecurity plays a big factor in these defenses, so it’s important for any business to make sure that their programs are up to date.

Security Awareness Training

When it comes to any sort of vulnerability of a business’s network, human error is the biggest one. Security awareness training is one of the best ways to keep these sorts of attacks in mind for employees. This sort of training includes simulated attacks employed by a third-party information security firm, using real-world tactics in order to see which employees need extra training on security awareness.

Cybersecurity firms will send out various social engineering attempts in order to see which employees might fall for the attacks. They will simulate phishing emails, vishing phone calls, and in some cases, smishing texts in order to get them to click on malicious links. Most information security firms will have a report of these employees, making it easy for the training.

Verification

Another way to make sure that something is or isn’t a social engineering attack is verification. No matter what sort of information the bad actor may have, they won’t be able to truly verify their position. Double-checking these things will save a company from a breach, despite what they might claim. They may pose as an IT person or even a high-ranking employee, but it’s always a good idea to check employee databases and records.

Despite this, many cyber incidents happen because of the lack of verification. If an email comes from an unknown source, it’s very likely a phishing email. Simply hovering over the sender’s email address can show where it came from, but you can also hover over links to see where they will go when clicked. Many of these links will be masked in the first place, so hovering is a good idea to find out if the website is malicious.

Multi-Factor Authentication (MFA) and Passkeys

Passwords are an important form of verification when it comes to logging into an account or a service. They are necessary to get into your company’s network and likely various other areas of your job. However, passwords are also one of the most insecure things if they’re easy to guess or lifted from a cybersecurity attack. However, with multi-factor authentication and passkeys, it can stop a bad actor even if they successfully socially engineer you.

Many businesses and services come with an option to add an MFA onto your account. This can be connected through e-mail, text, biometric, or even a physical key. However, passkeys are also becoming a more secure way to keep people out of your accounts, being even better than an MFA function. It’s always a good idea to have the extra layer of security, even if it is a hassle to do it each time you log in.

Policies and Procedures

Usually, a business might not even see a phishing email or any sort of malicious links that are sent out. With proper information security policies, email clients and other communication programs will have a policy made for it. These policies are things like spam filters, firewalls, and information that the program will have imbedded into it. Phishing emails are likely to be caught by these filters, so they may not even show up in your inboxes, but it’s still important to keep an eye out for them.

These aren’t perfect solutions, of course. Some emails will get through, and some may even be incorrectly flagged, so it’s crucial to make sure that it is often updated and checked. Your IT professionals will likely be on top of this, but if you see a suspicious email appear in your inbox, always report it as junk or phishing. This will help keep the filters up to date on a user level.

Follow Procedures

These policies and procedures will only work if you follow them. While many of them are automatic, there are some that take your attention and response. If something gets through, the policies will likely let you know that it was blocked or that something is unsafe. An example of these would be a website saying that there is no privacy certificate there or Microsoft telling you that an email has been put in quarantine. While these procedures might be annoying or long-winded to get through, they are there for a reason and it can lead to a cybersecurity incident.

All of these functions have ways to get around them, but it’s never a good idea to do that. These policies are in place for a reason. However, in very rare occasions, a message or a website might be flagged inappropriately in a “false positive’ situation. While these don’t happen often, it is always a good idea to ask your IT professional or coworker if something has been flagged incorrectly.

Updates and Patches

Extending from the previous point, these policies and procedures are only effective if you keep your device and programs up to date. Your Information Technology department will likely send out updates to your device now and then, but occasionally, people may try to put it off for long periods of time. It can be a hassle to stop what you’re doing in order to update your PC, laptop or phone. However, these updates may contain special security updates for them.

Pushing these updates off may cause your device to become vulnerable to outside attacks, including social engineering. Even whenever you click on one of these phishing links or get moved to a malicious website, the policies imbedded into your web browsers or other explorers will keep these dangerous scripts and functions from activating.

No Sensitive Information

One of the main things that bad actors want with social engineering is information. They are trying to get your username or password. Some of them want other’s information. You should never give anyone personal information, even if they claim to be an important person or someone who works for the company. In most cases, financial institutions and other businesses will never contact you for your password or sensitive information.

If you ever get an email, text, or even a phone call asking for these things, you should treat it as a social engineering. Do not engage with the person on the phone and hang up immediately after recording the number if it’s a business line. You can easily block these phone numbers or email addresses, so be sure to take advantage of that function on your device. No one should randomly contact you with these sorts of questions.

Don’t Respond

If you get one of these social engineering messages, the best way to interact with them is to ignore them. Bad actors have lists of numbers and emails they can contact, obtained from various sources on the Internet, and they go through them pretty quickly. If you answer a phone call, email, or even a text message from these unknown numbers, they will put you on a different list.

Responding to these messages let the bad actor know that there is someone on the other side of the line. Even if you send a reply asking for verification, they have information that tells them that it is a valid email or phone number. Never reply directly to any sort of suspicious email. Instead, go around them and contact the company or person in a different way. This goes hand-in-hand with the verification point made earlier, but try to use a different method of contact if you suspect someone has been compromised.

Reduce Digital Footprint

The usual way that bad actors obtain information is simply gathering information on the Internet. Some organizations and businesses have profiles on their employees. These are relatively common among financial institutions like banks and credit unions, too. While having contact information can be good for customers, it can also be a detriment for the business. It’s always a good idea to have a generic phone number or email to contact the company.

Customers should be routed to employees after verification through the general phone line or email. Of course, there are some programs and services out there that also scrape information, so it’s difficult to completely erase your footprint. However, having most of your information taken off the Internet is always a good plan. Most of these information collection agencies must comply with laws, so requesting them to take your information off of it is also an option.

Trust Your Gut

When faced with social engineering, the best thing a person can do is to trust their instinct. A good practice is if it seems suspicious, it’s probably a social engineering attack. Many of the methods above work, but nothing will work better than your own intuition. Always take your time and consider the information you’re given or what you’re being asked for. If it’s too good to be true, it probably is. This is something that should be kept in mind for most things.

Most social engineering will imply that something needs to be done quickly, trying to rush you into giving them information. You should never let the pressure get to you, even if they seem like a real person or a real employee. Always double-check and identify the person asking these questions or telling you to do something. They will never be able to do so if they’re a bad actor.

Conclusion

Social engineering has been happening for decades. It can happen anywhere and on any device. It is a dangerous situation that can bring about a cybersecurity incident for you and your business. They can steal personal data, lock your files and network behind ransomware, and even cause companies to close down for good. All of this is preventable—it simply takes information security and security awareness.

There are many different types of social engineering to keep an eye out for, including on-site and remote. Both of these types have their own methods, like impersonations and dumpster diving for on-site social engineering, while phishing and vishing are remote. A third-party cybersecurity firm can assist with all of these social engineering attacks, from penetration testing and tabletop testing to security awareness training. These will always be crucial for a secure network and a secure business.

Tags
Feel free to share our content.

Related Posts