What is a social engineering attack?

Who presents the most dangerous threat inside your business? Most organisations would be surprised to know that overly helpful employees can be far more dangerous than the stereotypical “disgruntled employee”.

Social engineering is a type of insider threat. Insider threats are typically associated with the disgruntled employee who uses legitimate access to internal systems to steal, delete or manipulate information assets, or to disrupt operational systems.

By comparison, a social engineering attack is carried out by an external assailant who deliberately manipulates an employee’s good intention (i.e. their willingness to assist) or their general curiosity, such as enticing them to click on a link in an email to a malicious website. While social engineering and the disgruntled employee are both insider threats, defending against these respective attacks requires very different approaches.

What are the different types of social engineering attacks?

Phishing

Phishing is the most common type of social engineering and is typically delivered in the form of an email, chat, web ad or website that’s been created to impersonate a real organisation e.g. a bank, the government or a major corporation. Some phishing messages may ask the user to verify their login details on a mocked-up login page complete with logos and branding to look legitimate.

Baiting

Baiting involves offering something enticing to a user in exchange for login details or sensitive information. The bait could be a music or movie download or a corporate branded flash drive. Once the bait is downloaded or used, malware is placed on the user’s system.

Quid Pro Quo

Similar to baiting, quid pro quo is the request for login details or sensitive data in exchange for a service e.g. a hacker, posing as a technology expert, may call a user and offer free IT assistance or technology improvements in exchange for login details.

Pretexting

Pretexting is the human equivalent of phishing. The hacker creates a false sense of trust with the user by impersonating a co-worker or authority figure to gain access to login details. For example, an employee may receive an email from what appears to be IT support or a chat message from an investigator who claims to be performing a corporate audit.

Piggybacking

Also known as ‘tailgating’, piggybacking is where an unauthorised person physically follows an authorised person into a restricted area or system. Examples include when a hacker calls out to an employee to hold the door open because they forgot their access card or when they ask an employee to quickly borrow their laptop or phone.

Ways to protect yourself

Don’t open emails and attachments from suspicious sources 

If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Remember that email addresses are spoofed all of the time; even an email purportedly coming from a trusted source may have actually been initiated by an attacker.

Use a professional spam filter solution

One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise.

Be wary of tempting offers 

If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.

Secure your devices

There are a number of factors here but essentially include having a standard workstation build, making use of antivirus and firewall products and deploy patch management to keep all systems up to device.

Get in touch to find out more about what your organisation can do to prevent against social engineering attacks