Social Engineering

Social engineering is the use of deception to manipulate individuals into sharing confidential or personal information that may be used for fraudulent purposes. This type of cyberattack is shockingly common, and anyone could be a target. In fact, 98% of cyberattacks involve social engineering in some form,¹and the average organization is targeted by over 700 social engineering attacks each year.²

Very few things that get put out on the internet are private. ‘The internet is forever’ and almost anything uploaded to a website or sent over an email is retrievable, unless properly encrypted or secured.

Social media is the number one way attackers can gather information on you, your friends, family, and business. Seemingly harmless information—such as your education history, pet names and favorite food—are often the answers to security questions, and attackers can use that information to hack into your secure accounts. Additionally, they can use your information to impersonate you for phishing attacks on others, or they can use that information to target you in social engineering attacks.

This video demonstrates how cunning social engineers can be:

Recognizing A Social Engineering Attempt

Recognizing a social engineering attack can be tricky because people often disguise themselves as officials in positions of knowledge or power. There are a few common methods of social engineering attacks that have been studied and documented: IT support, unscheduled inspections, urgent requests and threats/intimidation.

IT Support

If IT calls you out of the blue, it’s probably a social engineering attack. Tech support usually has so much work that they aren’t looking for problems to solve—the problems come to them. If you receive an unsolicited IT call, look up the caller in the company directory and ask them to stop by your desk. You can also tell them you’ll call them back, and then call IT Support directly.

Urgent Requests

Social engineers and scammers often create a ‘sense of urgency’ to manipulate people into acting without thinking. Never make quick decisions or feel pressured to act without thinking through the situation. If contacted, respond that you will contact them later so you can verify their story and check their credentials. Go directly to the actual site and use the correct contact information. Take your time and know that reputable companies will allow you time to investigate and confidently solve a legitimate issue.

Unscheduled Inspections

Another social engineering guise is to impersonate someone in IT. Attackers will carry clipboards and wear uniforms to bolster their credibility with the goal of accessing restricted areas to obtain information or install malware.

Check with management to validate their identity and don’t be afraid to contact security.

Threats or Intimidation

‘Help me, or the boss is going to be mad.’

Attackers will use fear to manipulate you. They may try to convince you that you will get in trouble if you don’t give them the information they are seeking.

Other forms of Social Engineering

• Phishing: Phishing is a social engineering technique that aims to trick individuals into clicking a link, opening an attachment, or disclosing sensitive information such as personally identifiable information, banking and credit details, or passwords.
• Vishing and Smishing: A form of phishing, vishing (voice-phishing) and smishing (SMS-phishing) are attacks using phone calls and text messages to trick you into disclosing personal information.
• Baiting: Baiting is a specific form of phishing where the attacker promises something in return for a small payment. This is usually too good to be true and is intended to gain your financial and personal information.
• Tailgating or piggybacking: These social engineering strategies are used to gain unauthorized access to restricted areas. Tailgating happens when the attacker unknowingly follows closely behind an authorized individual and enters through an entrance or door, bypassing the necessary credentials. Piggybacking is similar, but someone knowingly allows the attacker to enter, thinking they are a visitor or employee.
• Quishing: This form of phishing utilizes QR codes (QR-phishing) to deceive people into providing sensitive information or downloading harmful software onto their devices. Quishing is done by criminals placing a fraudulent QR code in a common location such as a menu, billboard, poster, or advertisement. The QR code is then scanned and will direct users to a malicious website designed to steal credentials or compromise accounts and devices.

Avoiding Social Engineering Attempts

To avoid opening avenues for social engineers and attackers to target you, make sure that your privacy settings are turned on and reviewed frequently. Companies like Facebook often update their privacy policies, which resets all your privacy settings to the default setting. Make sure you view your privacy settings regularly to ensure they are still where you want them to be. Additionally, ensure your information is hidden or only viewable to your desired audience (preferably only your friends, and not ‘friends of friends’).

In addition to updating your privacy settings, change your password regularly and enable multi-factor authentication when available. Make sure your social media password is just as secure as passwords for your personal or business accounts. Just as with phishing in your email, attackers can steal your credentials and phish you through social media.

Trust your instincts

Always trust your instincts and be aware. If something doesn’t seem right, it probably isn’t. You are the best source of knowledge when it comes to what is and isn’t normal.

If you notice things that are out of the ordinary (unexpected IT calls, unusual inspections, your web browser opens to a new page suddenly), make sure that you follow these guidelines:

• Research and then respond – investigate the request before acting hastily. Common social engineering scams may be documented online, and you can find information regarding them.
• Avoid links – if you are unsure of the sender, or aren’t expecting the email or message, go directly to the source to verify authenticity, rather than clicking a link.
• Be cautious – attackers will often impersonate someone you know or use a compromised account to contact you. If a situation is unusual or out of the ordinary, it could be a social engineering attack. It is always best to be cautious in these situations.

Social engineering attacks are one of the most common and dangerous cyberattacks in today’s technological world. They can happen to anyone, at any time. It could be a personal attack directed at you as an individual, or an attack against your organization. Learning to recognize these attacks is key in protecting your information. Remember to be careful with your personal information when online and trust your instincts. You are the greatest defense against social engineering attacks.