Social Engineering – A People Problem
Cyber attacks take many forms but social engineering is a particularly pernicious tactic which can have serious implications for your IT security.
What is social engineering?
‘Social engineering’ is a blanket term that refers to the methods malicious attackers use to manipulate people into revealing or providing confidential information. The methods of communicating the request may be in person, over the phone or a video call, or via written communication such as email.
When the method used is email, this is most commonly referred to as phishing. Here the social engineer attempts to get some form of personal information from the target, usually credit card information or login details to a site or service that the target has access to. Commonly this will take the form of an email that appears to originate from a bank or online service (such as Office 365), and will look legitimate at first glance.
This email will use one or more of the principles listed below to get the target to click on a link in the email and enter their login credentials to what appears to be the correct online portal. However, this will be a fake login page that will harvest the targets credentials for later use by the attacker.
A more specialised form of phishing is spear phishing, which targets specific individuals as opposed to the more blanket emails generally sent. These are a lot more difficult to detect, as they are specifically crafted to target the individuals.
Other forms of social engineering emails include requests for payment or bank transfers to legitimate recipients, but with bank details belonging to the attacker.
Social engineering principles
Social engineers rely on a few key principles to manipulate people into giving up the information they are after. These are:
- Authority / Intimidation – Social engineers often pose as authority figures (such as the company CEO or a police official) in order to pressure people into complying with a request.
- Consensus / Social Proof – People are more likely to do things that they think other people are doing, or things that they believe are social norms.
- Scarcity – If people believe that an offer is time-limited, or that there are only a limited number of whatever they are seeking, they will be more inclined to act quickly before giving full consideration to the offer or request.
- Urgency – If people believe they only have a certain time window to comply with a request, they are often likely to act without thinking the request through fully. This is often used in conjunction with scarcity above.
- Familiarity / Liking – People are more likely to comply with requests from people that they like (even based on first impressions), or people that are familiar to them such as someone that they have met before.
- Trust – If trust has been established with someone, they are much more likely to comply with a request without fully considering the implications.
How to spot social engineering attempts
The possible ways to spot potential attempts vary depending on the method employed by the social engineer. The primary defence against any form of social engineering is user ongoing awareness training. Educating your users about the dangers of social engineering and the ways to detect and stop these attempts is the single most effective defence.
For phone calls, one of the most effective defences is having a documented process for verifying a caller’s identity for any requests involving sensitive information (you do have an information classification policy in your organisation, don’t you?). Simply insisting on calling back the caller on a number you already have for them, if it is supposedly someone you know, will prove the caller legitimate or not. If the caller is not someone you presently know, asking for a contact number to call them back on will often dissuade all but the most confident social engineer.
For phishing emails, there are a few things to check carefully, especially those asking for sensitive information:
- Always check the reply-to email address carefully, even one incorrect or swapped letter is a different address
- Do not ever click on any links in the email. If the email is instructing you to log onto a service that you do have, rather access the login page directly from the internet or search Google for it instead of clicking on a link in the email.
- Do not open any attachments on the email without first making absolutely sure that the email is from a legitimate source. All it takes for your computer to be infected with malicious software (malware) is one click.
- Always report any suspicious emails to your IT provider for investigation
Should you fall victim to a phishing email and enter your credentials into a fake login site, always contact your IT support company straight away to get your password reset.
If you have any questions about the information security of your business, do get in touch with one of the experts at the Conosco Security Division: email@example.com