Social engineering is the act of manipulating people into performing a task or divulging confidential information. This type of attack can be conducted in person, over the phone, via email, through social media, or even on the computer. Because it’s so difficult to determine who you are talking to and where they’re located, there are typically no warnings before the attack occurs. Once an attacker has access to your data, they can use it for personal gain or cause serious damage to your business by leaking sensitive information that you wouldn’t want public knowledge. In this article, we’ll define how social engineering works and how it affects us every day.
Social engineering can happen in person, over the phone, via email, through social media, or even on the computer. Because it’s so difficult to determine who you are talking to and where they’re located, there are typically no warnings before an attack occurs. Once an attacker has access to your data, they can use it for personal gain or cause serious damage to your business by leaking sensitive information that you wouldn’t want public knowledge.
Social engineering attacks happen in one or more steps. A perpetrator first gathers background information about the victim, such as points of entry and weak security protocols, which will help them execute their attack successfully. Then they move to gain trust from the victim and provide stimuli for subsequent actions that break security practices by revealing sensitive information or granting access to critical resources.
There are a few different types of attacks that social engineers use to perpetrate their schemes.
Phishing scams are emails and text messages that try to get you to reveal personal information, click on links, or open attachments. An example is an email sent by a fake company requiring immediate action in order to change your password because of a policy violation. It includes a link that looks nearly identical but leads you straight into the trap where they collect all your login credentials while stealing them from the authentic website’s database.
In contrast to phishing, a spear-phishing attack is much more targeted. It’s also harder to detect and has better success rates when done skillfully. Spear phishing requires the perpetrator to spend more time planning in order to successfully target their victims and deceive them into changing their passwords or clicking on malicious links that capture information such as login credentials.
Baiting schemes use a false promise to get users involved. They lure people with personal information or malware onto their system. The most hated form of baiting, known as physical media distribution, usually leaves malware on the user’s computer when they insert an infected flash drive into their workstation or home machine. This is made effective by having an attractive and authentic-looking bait that looks like it belongs in a place where the potential victim would expect something valuable, such as a payroll list, instead of harmful materials.
Users are given false alarms and fictitious threats such as infections of malware on their computer, prompting them to install software that has no real benefit (other than for the perpetrator) or is indeed a form of malware. Scareware is also referred to as deception software, rogue scanner technology, and fraudware.
Social engineering is a difficult phenomenon to detect and prevent because it happens in the moment. When you’re interacting with someone face-to-face, there’s a sense of trust that typically accompanies that interaction. This is one of the more common methods for social engineering attacks, but it’s not the only one.
As an example, let’s say you have a job interview for a sales position at your company. The interviewer asks you if your social media account is public or private. If you say public, then the interviewer can use information from your social media account to find out where you go to school and what social groups you like to attend so they can tailor their questions accordingly. If they know this information about you before going into the interview, it makes it easier for them to display empathy as they talk about why they think you would be perfect for their company. With this type of attack, there’s no warning before the damage has been done.
As mentioned, social engineering is hard to detect and even harder to prevent. However, there are steps that you can take to reduce the risk of a social engineering attack.
- You can create a strong password policy with unique passwords for each computer user. This will make it difficult for another person to access your account because they would be required to remember new passwords every time they want to use the computer.
- You can also set up two-factor authentication on your accounts that send an SMS text message to your phone when you log in from a new device. If somebody tries to login from a different device or location, it will not be accepted as a valid login attempt and neither the password or username will be given out.
- You can also enable all notifications on your devices and apps so that if someone tries to initiate some type of contact with you in any way, you’ll know about it immediately.