Social engineering attacks are a prominent problem online. In fact, they are attributed to 98% of cyber-scams (source).
When it comes to extracting sensitive data from a target, cyber criminals know to employ persuasive tricks and manipulative practices. These attack methods are known as social engineering. Criminals don’t always rely on complex systems or computer hacks, instead, they target individuals.
In this blog, we examine some of the most common social engineering techniques that threaten businesses in the UK. We’ll also provide handy tips on how you can protect yourself and your team against these common social engineering scams.
Social Engineering: A Definition
To put it simply, social engineering is a catch-all term. It is used to refer to the techniques used to target an individual into revealing confidential information. Cyber criminals then use this information for personal benefit.
Generally used to acquire confidential, personally identifiable information, social engineers play on the trust of their target, to seek out passwords, bank details and pin numbers or look to obtain control over a computer system.
It has become far easier to trick people into sharing a password, than it is to hack a password (unless of course you have weak passwords and they haven’t been changed in a while).
Who can I trust online?
The key to remaining safe online, and not falling foul to social engineering tactics is remaining vigilant. Just as in the ‘real’ world, you don’t always take someone by their word – as it can have a negative impact if they’re lying. The same goes for online interactions – but it can be harder to navigate, as we don’t have physical indicators to help us decide whether someone is legitimate or not.
The cost of falling foul to a social engineering attack could cause the demise of many a small business, not to mention the reputational damage if it’s reported your company has leaked confidential client information.
So, when it comes to social engineering scams, what should you look out for online?
Common types of social engineering
Phishing Emails / WhatsApp Messages / Social Posts
When a criminal gets access to an email account, they also get access to entire contact lists. This means, they can send emails to hundreds, if not thousands of people and businesses that an individual has ever contacted. Recipients are likely to believe the email to be genuine, with legitimate content, because they’ll have previously interacted with the sender.
One simple email, WhatsApp message or social post could direct numerous individuals to an illegitimate link, or questionable download, that could give criminals access to other computers or email accounts, or that could infect other computer systems with ransomware or malware.
In addition, if the same password is used across multiple accounts, cyber criminals can also use email access to gain entry to social media profiles, bank accounts and more. They can also use their access to change passwords and lock people out of other accounts.
Within these social engineering emails/messages/posts, the recipients are likely to find:
- Downloads – pictures, music, films, documents, etc., with malicious software attached that allows the cybercriminal to gain control of your computer, along with your accounts and contacts.
- Links – similarly to downloads, these links may contain malicious software that relinquishes control and provides vital information.
- Phone numbers – it may look like a friend or employee has asked you to call them on a new number.
Remain safe from phishing scams:
- Make sure you have a unique, strong password for every email account you own. Employ MFA wherever possible.
- Remain vigilant to emails sent from old friends or contacts that you’ve not heard from in a while. Refrain from clicking questionable links or downloading files that you don’t recognise the extension of.
- Learn more about email phishing tactics here.
Baiting is like phishing, but instead, it promises an item or goods to encourage its targets to fall for the scam. It can take place both on and offline.
Offline baiting involves a criminal leaving a piece of portable storage, such as a laptop, or USB memory stick, unguarded, in a location where a victim might be tempted into looking at what’s on it. When the target opens files on the media, it executes a malware program, that releases a virus or exposes personal and financial information to the criminals. If the victim is connected to a network, the infection could also spread throughout all connected devices.
Online, baiters often offer free music or movie downloads if their victim shares personal information such as logins and passwords.
Examples of online baiting:
- “Congratulations, you have won a Makita Power Drill! Click this link to claim it”
- “Download this premium version of Adobe Photoshop software for just £14. Offer expires in 2 hours”
- “Your funds are waiting for you. Withdraw them today!”
The most effective way to protect yourself and your employees against baiting, is education. Invest in Cyber Security Awareness Training to give the theoretical knowledge and practical insight required to keep them safe.
Tailgating is a type of physical security breach whereby an authorised person allows an unauthorised person access to a restricted system or area of a network. They might then put your device(s) at risk and spread malicious code throughout the company.
This form of social engineering is particularly targeted at workplaces, especially busy premises with lots of employees moving in and out.
Examples of tailgating include:
- A regular employee opens a heavy door, while a social engineer grabs the door as it’s about to close, allowing them entry to the targeted physical location.
- Someone who claims they’ve forgotten their work ID, so you grant them entry
- An attacker that borrows a laptop or smartphone, saying their battery is dead, and then installs harmful software, or copies the victim’s credentials
Tailgating can also be known as “Piggybacking”. In this type of attack, the social engineers gain entry to an unauthorised location, by acquiring access permissions from an authorised individual, who are aware of what they are doing.
When it comes to tailgating, it’s important for organisations to employ appropriate measures to ensure only authorised individuals gain access to physical buildings, and online environments. Ensuring users have their own, secure logins and unique passwords to online systems and personal is the most effective way to protecting your organisation.
Protect your organisation from social engineering.
The majority of successful socially engineered cyber-attacks are attributed to human error. Prevention and protection should come from the ground up. That’s why Cyber Security Awareness Training is crucial, to teach your team who they should, and shouldn’t trust.
If you’d like to discover how SupPortal can help you to protect your business and assets against social engineering, chat to us at 02380 982218.