What is Social Engineering: Types of Attacks & How to Prevent
Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. Attackers use social engineering tactics to exploit human vulnerabilities rather than technical ones to gain access to systems, networks or data. It is one of the greatest cybersecurity risks today. Here we’ll explore what social engineering is, the different types of attacks, and ways to prevent it.
What is Social Engineering?
Social engineering is the art of manipulating people, so they give up confidential information. The types of information targeted are usually passwords and sensitive enterprise data relating to finances or intellectual property.
It exploits the natural tendency of humans to trust. Victims may be persuaded into handing over information or access after being manipulated through lies, flattery, sympathy, intimidation, etc. The attacks rely on human interactions, whether over the phone, in person or online.
Types of Social Engineering Attacks
There are a few common types of social engineering attacks:
Phishing uses email, fake websites, text/SMS messages purporting to be from trusted entities to trick victims into disclosing credentials or sensitive data. Spear-phishing targets specific individuals.
Phishing employs various techniques to trick users into giving up sensitive information or installing malware.
- Spear phishing targets specific individuals by including personal details in emails to appear more legitimate. They may impersonate managers requesting info.
- Whaling phishes senior executives who have access to critical financial systems. Requests appear urgent.
- Clone phishing uses a genuine email that looks identical to spoof the source. Links replace legitimate ones.
- Pharming redirects websites through corrupted DNS to fake logins to steal credentials.
- SMS/Text phishing can spoof numbers. Links lead to phishing sites.
- Security awareness training should include simulated phishing attacks to help employees identify common red flags. Teach them to hover over links to check URLs and inspect email sender addresses.
- Configure email spam filters to detect spoofed domains, suspicious links, compromised accounts. Send risky emails to quarantine.
- Set policies requiring verification of all payment or sensitive requests received via email. Use phone or alternative method to confirm legitimacy.
- Enable multi-factor authentication on email, VPNs, and critical business systems. Require a one-time code in addition to passwords.
Pretexting uses a fabricated scenario to persuade victims to release information or perform an action. Attackers pretend to need information/access for legitimate reasons.
Pretexting patiently builds a fabricated scenario to lower defenses.
- May impersonate IT needing a password to fix an issue. Or pose as a new employee needing system access.
- Call customer service pretending to be a customer to get account details. Some pretext in-person at facilities.
- Create a fake situation needing data like an urgent invoice. Use flattery, authority, fear, or helpfulness to persuade victims.
- Educate employees on pretexting techniques like urgency, impersonation of roles, or falsified situations. Train them to question unusual requests.
- Implement formal request processes for access, data sharing, payments etc. Documents should come from known aliases on company domains.
- Limit employee access to sensitive customer data on a need-to-know basis. Restrict by role, IP address, devices. Monitor access.
- Verify identities over phone using employee badge ID before providing any information.
Baiting tricks victims into opening infected external drives, email attachments, etc. which launches malware once accessed. The “bait” exploits human curiosity or greed.
Baiting relies on tempting offers like free devices, pirated software, videos, e-books on infected USB drives left in public areas or mailed to targets. Drops often timed during layoffs. Exploits human curiosity.
- USBs contain malware that auto-runs on insertion spreading across systems. Ransomware a frequent payload.
- Disguises USBs as corporate devices or offers free things to encourage insertion into computers. Counts on natural human curiosity.
- Train employees to never insert unfamiliar USBs or devices. Report any suspicious unlabeled devices.
- Use group policies to disable USB ports, control approved external devices, and prevent unauthorized software installations.
- Mandate antivirus scans of removable media if use is permitted. Block executable files.
- Physically disable USB ports or fill with epoxy on systems storing sensitive data to prevent infection.
Quid Pro Quo
Quid pro quo offers a benefit in exchange for information or access. The “quid” lowers the victim’s guard to accept the “quo”.
Quid pro quo tempts employees to give up something in return for an enticing offer.
- May offer bonuses, promotions, or gifts like free electronics, event tickets in exchange for data, access, passwords etc.
- Attacker may pose as fellow employee or insider even using collaborators to make the offer more legitimate.
- Exploits natural human tendency to want something for nothing. Lowers defenses with a compelling benefit.
Quid Pro Quo Prevention
- Educate staff on policies prohibiting unauthorized sharing of data/access even if offered incentives. Report such attempts.
- Require manager attestation before authorizing new software, devices, building access etc. to prevent rogue quid pro quo.
- Prohibit employees from installing unauthorized software, apps or services on company devices or networks without vetting.
Tailgating is when someone physically follows an employee into a restricted entry point or searches for unlocked doors to access restricted areas.
Tailgating physically follows right behind a legitimate employee to access restricted areas.
- Waits outside secure doors like parking garages, server rooms then quickly slips through behind an employee before doors close.
- May pretend to have forgotten their badge if questioned. Tailgaters often dress like employees and exude confidence.
- Once inside, can steal data, exploit networks, or gather confidential information.
- Enforce strict badge requirements and limit building entry points. Authorize visitor access through reception.
- Install alarms on restricted entry doors that notify security on unauthorized access. Use security cameras.
- Train employees to report unrecognized individuals without visible staff badges in secure areas. Confiscate expired badges.
Examples of Attacks in Social Engineering
Here are some case examples:
1. Worm attacks
Worm attacks aim to attract users’ attention to access links and files that have been infected.
An example of this attack is the case of a worm named ILOVEYOU in 2000 in the Philippines.
Back then, these attacks targeted corporate emails in the Philippines and other countries such as Hong Kong.
The target will receive an email in the form of a “love letter” containing a love message and a link.
When the link is opened, the worm or attack will spread and access the personal data of the email recipient.
The loss is estimated at more than 20 million US dollars, or equivalent to Rp303 billion.
2. Peer-to-peer network attacks
P2P networks are also often the target of attacks with social engineering methods.
Usually, this attack will contain a Trojan virus and appear in the form of a ready-to-download file with an attention-grabbing name, for example:
- AIM and AOL Password Hacker.exe
- Microsoft CD Key Generator.exe
The two files relate to devices and applications that are widely used by workers.
How to Prevent Social Engineering
Here are some tips to prevent social engineering vulnerabilities:
- Employee education – Train employees on identifying and responding to social engineering tactics through simulations. Build a culture of security.
- Verify requests for information – Establish protocols for verifying legitimacy before handing over info or access. Get a second form of verification.
- Be suspicious of requests – Encourage suspicion of abnormal requests for confidential data or access to restricted areas/systems.
- Strong password policies – Implement strong, frequently updated passwords to prevent password theft through phishing.
- Principle of least privilege – Only provide access to systems and data strictly needed for a specific role. Restrict sensitive access.
- Physical security – Use locks, security systems, badges to secure facilities from tailgating and unauthorized physical access.
Beware of Social Engineering Attacks
Social engineering is a type of cyber-attack to watch out for. This type of attack is a form of online crime that manipulates its victims. Social engineering can be carried out in various forms online or offline.
For example, through file downloads, email, phone, to fake popups. Baiting, pretexting, phishing and spear phishing are some examples of social engineering attacks to watch out for.
To prevent social engineering attacks, you can protect your website or hosting by using JCSS Indonesia services. JCSS Indonesia services have bagged the best international security certificate ISO 27001.
Hopefully this article has helped you understand what social engineering is and its types and how to prevent it.