What is Social Engineering?
The same way cybercriminals use malware to hack your computers, human hacking utilizes social engineering. Social engineering is any manipulation technique used by hackers that exploit human error to gain access to confidential information for use in a cyber attack. These attacks are some of the most difficult to prevent and detect because they target humans, not technology.
Endless hours and research go into a successful social engineering attack. The attacker starts by investigating background information on their victim and potential points of entry. Then, the attacker moves to gain the victim’s trust and provides incentives for following actions that break security practices, such as revealing sensitive information, granting access to essential business resources, or as a wedge to expose additional security holes.
Common Types of Social Engineering Attacks
Understanding that social engineering attacks are rooted in deception may help you spot them before you fall victim. The following are methods used by attackers to manipulate employees into disclosing sensitive information or performing actions to help in cyber attacks.
Phishing
Phishing is the most common form of social engineering attacks. In a phishing attempt, cybercriminals send emails to obtain employee login information or other details for use in an advanced cyberattack against your company or organization. Attackers using phishing tactics will disguise themselves as:
- Someone from your organization
- Banking institution
- Government official
- Reputable vendor or brand
Phishing attacks will often leverage topics such as current affairs or use a sense of urgency to increase the likelihood of a victim taking the lure. Some examples of phishing you might encounter are:
- Spear phishing
- Whaling
- Smishing
Pretexting
Pretexting occurs when an attacker attempts to persuade you to reveal private information or gain access to your organization’s system. It is almost identical to phishing in that it:
- Disguises itself as a trusted source
- Leverages spear phishing and smishing
- Is a common form of social engineering
The distinctive component that separates pretexting from regular phishing attacks is that the scammer comes up with a story — or pretext — to fool you. To take it a step further, threat actors routinely pose as legitimate people in the organization, such as the CEO, with an “urgent request.”
Scareware
The term “scareware” refers to scam tactics and fake software applications used by cybercriminals to incite panic and fear in users. This method of human hacking manipulates users into making split-second decisions such as:
- The purchase of worthless software
- Downloading various malicious software
- Visiting websites that attempt to auto-download and install malicious software onto the device in use
Often, scareware tactics come in the form of pop-ups with urgent must-take-action messaging such as antivirus, computer repair, threat detection, or computer performance.
Cybercriminals that are successful with scareware tactics are able to:
- Take control of a user’s device
- Make changes to the device’s settings
- Spy on users
- Steal any data, files, or financial information
- Cause financial losses
Baiting
Bating is a social engineering method that can be physical as well as digital. However, unlike scareware, which looks to build anxiety and fear to manipulate the user, baiting falsely promises to reward the user by playing on their greed or curiosity. Examples of Baiting include:
- A downloadable attachment in an email that has malware embedded.
- A physical example is where the attacker leaves a USB planted in the target company. The label is appealing to employees, like “2023 Promotions.” This tempts your employees to pick it up and plug it in, allowing the social engineer to have an entry point into your network.
Physical Social Engineering
In searching for a strengthened security posture, it’s easy to forget that cybersecurity has a physical aspect. A type of physical social engineering attack would be:
- Shoulder surfing: the threat actor gathers information just by looking over your shoulder.
- Tailgating: the threat actor follows you through a door with some sort of access control, depending on having another person hold the door open.
Once inside, they have full reign to access devices containing important information.
How Can You Protect Yourself from Social Engineering?
When protecting yourself from social engineering, it would be reckless to depend on human intuitions alone. So, while it is important to invest in the proper employee cybersecurity training, most crucially, we recommend strengthening your security posture with a Zero Trust approach. With Allowlisting, you control what software, scripts, executables, and libraries can run on your endpoints and servers. This approach stops malicious software and prevents other unpermitted applications from running and minimizes cyber threats by preventing rogue applications from running on your network. When Allowlisting is combined with Ringfencing, this enables you to go further than permitting what software can run but also manages how applications can interact with your network and other applications after they’re executed. This prohibits untrusted applications from running, regardless of how the malware is delivered.