Hackers use clever ploys to trick you into disclosing personal information— all with the end goal of acquiring sensitive data or money. These ‘social engineers’ gather intel on you and use social tactics to manipulate and deceive you into granting them entry into your systems.
But what is social engineering, really? How can you safeguard against it?
Here are five things you need to know about social engineering attacks to protect your business from malicious actors.
1. Social engineering is all about basic human nature and exploiting it.
Social engineers know that it’s a basic human instinct to trust something that looks legitimate. That’s why bad actors tap into Open Source Intelligence (OSINT), or any bit of personally identifiable information (PII) they can gather for free about you or your organization. (Sometimes, more detailed information lies behind paywalls, and a hacker can pay a small sum to gather even deeper PII).
OSINT often includes details collected from the Internet— like your company name and your job title from LinkedIn, etc.— but, technically, can include offline information. Once collected, social engineers use this information to create an often alarmingly convincing ruse. Cyber security professionals call it “pretexting,” whereas a bad actor creates a false story or situation using as many real facts as possible to convince you to take action. The request looks like it came from a trusted source, so you’re inclined to do what they ask!
Unfortunately, once you click that malicious link or enter in your credentials, a “payload” is dropped onto your device. A group of computer instructions secretly runs in the background, giving the bad guy covert access to your system from a command-and-control (C&C) server— which can be used to control or access private information on your network.
2. Social engineering comes in many forms.
Perhaps the scariest thing about social engineering is that it wears many faces. Here are just a few examples:
The most common social engineering technique is sending malicious emails by a practice called phishing. The bad actor “fishes” for a reader to take their bait and click an infected link, share the information they’re requesting, etc.
An attack in which threat actors use a deep knowledge of the potential victims to target them. These emails are more convincing and harder to detect than regular phishing emails because the attacker knows exactly who and what they're targeting.
Voice Phishing, AKA Vishing
Vishing is a combination of “voice" and "phishing" and is similar to email phishing, but happens over the phone. Bad actors use automated voice messages to attempt to steal confidential information, often by leaving “urgent” voicemails or requesting panicked courses of action. Learn more about vishing here.
These are three of the most common types of social engineering attacks, but there are many more. Check out seven other techniques used by cyber criminals with Kevin Mitnick’s training video on KnowBe4.com.
3. You might not notice an attack.
Frighteningly, it can be difficult to know if you were subject to a social engineering attack. You could click an infected link or download malware without ever noticing. Sneaky hackers can time when their payload program activates, and often set it to trigger after idle time. Even if the script starts running while you’re active, it can flash across the screen very quickly, tucked away inconspicuously in the bottom corner, unnoticed.
Meanwhile, the cybercriminal now has remote access into your system and can view your files. Or, the bad guy could have installed spyware onto your device and be watching and recording your actions, capturing your keystrokes as you type in usernames and passwords, or tapping into your device audio or video functionality to hear your conversations or view your webcam.
4. Anyone is susceptible.
While you may think that social engineers only go after lower-tiered employees, posing as management or authority figures to squeeze out information from fearful staff, that’s not true. While low-hanging fruit can often boast a quick win, many hackers are looking for any “foot in the door” to gain internal access to your systems.
That means anyone in your organization could be a target of a social engineering attack. Certainly, some hackers pursue elevated privileges, wanting that highly confidential information that low-ladder employees can’t access. That’s why many social engineering attacks are actually targeted towards managers and top-tiered executives, who can often offer a bigger return.
However, it’s important to note that some cyber criminals work their way up, acquiring tidbits of information to make a new connection until they find the right person to exploit. Even IT managers can fall victim to a convincing social engineer if an attacker has the right context and craft.
Watch how Kevin Mitnick acquired one of Motorola’s phone’s source codes:
5. Social engineering is not exclusively virtual, it also affects physical security.
It can be easy to get so wrapped up in the idea of cyber security, that you forget threats can be physical too. Improperly disposed documents or devices can be stolen from trash bins, where bad actors glean important information. The friendly guy you just held the door open for carrying the donut boxes could be a hacker in disguise, who sneakily plugs a USB Ninja Cable into a company computer and injects it with malicious software when no one is looking.
Make sure your physical security is just as airtight as your digital security by installing cameras, using the best breed of entry codes, properly disposing of old devices, and educating your staff on the threat landscape at large.
Is Your Staff Trained to be Social Engineering-Proof?
How do you think your staff would react if they received a phishing email? How do your remote workers handle security?
Test your organization’s level of protection by conducting a social engineering strength test with Kevin Mitnick and his Global Ghost Team.
Our simulated attacks go beyond simple link baiting. We’ll identify your most guarded / sensitive information and devise various, highly-sophisticated methods to gain access. It’s our meticulous research and ability to get inside of the head of a real cyber criminal that gives us our 100% success rate for breaking into systems.
Let us find your vulnerabilities and build better reinforcements, today.