{"id":7783,"date":"2021-11-10T16:30:03","date_gmt":"2021-11-10T16:30:03","guid":{"rendered":"https:\/\/cybersmart.com\/?p=7783"},"modified":"2022-01-20T17:58:04","modified_gmt":"2022-01-20T17:58:04","slug":"what-is-a-social-engineering-attack","status":"publish","type":"post","link":"https:\/\/cybersmart.com\/blog\/what-is-a-social-engineering-attack\/","title":{"rendered":"What is a social engineering attack?"},"content":{"rendered":"
We all know what a classic cyberattack looks like. It usually involves hackers with high levels of technical expertise and some form of a malicious tool like <\/span>ransomware<\/span><\/a> or malware.\u00a0<\/span><\/p>\n However, cybercriminals don\u2019t always use the latest malware and cyberattacks don\u2019t have to be highly technologically advanced. There\u2019s a whole other class of threats that harness the most powerful weapon of all \u2013 our brains. <\/span> The term social engineering covers a broad range of malicious activities. What ties them together is that they all use human interactions to achieve their sinister ends. Broadly speaking, all social engineering attacks use psychological manipulation to trick us into making security mistakes or giving away sensitive information.<\/span><\/p>\n For more on how cybercriminals do this, we highly recommend our blog on <\/span>how the internet encourages cybercrime.<\/span><\/a>\u00a0<\/span><\/p>\n Now we know what a social engineering attack is, let\u2019s look at how they work in practice. Although there are potentially endless types of social engineering attacks, there are four general categories most fit under.\u00a0<\/span><\/p>\n You\u2019ve almost certainly heard of phishing attacks<\/a>. They\u2019re by far the most common form of social engineering, but that doesn\u2019t make them less dangerous.<\/p>\n Most phishing attacks seek to do three things:<\/span><\/p>\n A lot of phishing attacks are poorly executed and easy to ignore. We\u2019ve all had emails claiming to be from a well-known brand, only to notice the web address or logo is subtly wrong. However, plenty of phishing attacks do succeed. <\/span> So, even though they might be limited and often badly done, it\u2019s unwise to underestimate the humble phishing scam.\u00a0<\/span><\/p>\n Also known as \u2018tailgating\u2019, piggybacking involves exactly what it sounds like (although not quite literally). In this type of attack, someone without the proper authentication follows a company employee into a restricted area.\u00a0<\/span><\/p>\n Here\u2019s an example of how it might work:<\/span><\/p>\n Once in, the attacker is one step closer to accessing confidential files, stealing company property, conducting corporate espionage, or physically attacking the business\u2019s systems. <\/span> Of all the four threat types on this list, pretexting is the hardest to counter. Why? Because it relies on plausibility. A good pretexting attack will create a fabricated, but completely reasonable, scenario to try and steal information from victims.\u00a0<\/span><\/p>\n A pretexting attack usually works something like this. The scammer poses as a supplier and claims to need information from the target to confirm their identity. They then pilfer this data and use it to steal company property, enter business systems, or launch a secondary attack.\u00a0<\/span><\/p>\n To give a real-world example, between 2013 and 2015 <\/span>Facebook and Google were conned out of <\/span><\/a>$100 million after falling for a fake invoice scam. A Lithuanian cybercriminal called Evaldas Rimasauskas realised both organisations used the infrastructure supplier Quanta Computer.<\/span><\/p>\n Sensing a vulnerability, he sent a series of fake multimillion-dollar invoices from Quanta Computer over two years. These invoices even included contracts and letters, apparently signed by the tech giants\u2019 staff.\u00a0<\/span><\/p>\n The cybercriminal was eventually caught and Facebook and Google recovered some of the money. However, if two of the largest and most technologically advanced companies in the world can fall for such a simple scheme, so can anyone else.\u00a0<\/span><\/p>\n Quid pro quo attacks promise a benefit in exchange for information. This benefit is usually some sort of service.\u00a0<\/span><\/p>\n For example, an attacker may call random phone extensions at a company, pretending to be returning a call from a technical support enquiry. Once they find someone who really has a problem, they pretend to help them but use it as an opportunity to plant malware or access important company data.\u00a0<\/span><\/p>\n There\u2019s a well-worn statistic that 95% of cybersecurity breaches are down to human error<\/a>. But when it comes to social engineering attacks, that figure is much closer to 100%.<\/p>\n The best way to counter this is through <\/span>security training<\/span><\/a>. Training can help your employees recognise the tactics cybercriminals typically use such as impersonating a supplier, creating a sense of urgency, or offering bogus services.\u00a0<\/span><\/p>\n As we\u2019ve said before, where many social engineering attacks fail is attention to detail \u2013 there\u2019s usually something that isn\u2019t quite right. And you can train your people to recognise these tells. Some examples include spelling mistakes, subtly different URLs, unsolicited communications and suspicious email attachments.<\/p>\n If your people don\u2019t know which behaviours are harmful, they can\u2019t correct them. So, you need easy-to-follow cybersecurity policies to make it clear what behaviours are expected of them. On top of this, make sure everyone can find them. After all, there\u2019s little point in an important policy document that spends its life languishing in a corner of the shared company drive.\u00a0<\/span><\/p>\n For more on why cybersecurity policies are so important and how CyberSmart can help, <\/span>read this<\/span><\/a>.\u00a0<\/span><\/p>\n If your business does fall foul of a social engineering attack, acting quickly could be the difference between a minor inconvenience and disaster. But for this to work, your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes.\u00a0<\/span><\/p>\n All too often, security mistakes go unchecked and breaches become so much worse than they needed to be because staff are too afraid to report them.\u00a0<\/span><\/p>\n Alongside training your staff, it\u2019s also worth checking (or implementing) your technological cybersecurity measures. These include <\/span>firewalls<\/span><\/a>, <\/span>antivirus and anti-malware<\/span><\/a>, <\/span>patching<\/span><\/a> and access management policies. <\/span> Looking to improve your cybersecurity but not sure where to begin? Start by getting <\/span>certified in Cyber Essentials<\/span><\/a>, the UK government scheme that covers all the fundamentals of cyber hygiene<\/span>.<\/span><\/p>\n <\/p>\n
\n<\/span>
\n<\/span>These cyberattacks are known as social engineering attacks. But how do they work? And how can your business protect itself?\u00a0<\/span><\/p>\nWhat is social engineering?\u00a0<\/b><\/h3>\n
What does a social engineering attack look like?\u00a0<\/b><\/h3>\n
1. Phishing\u00a0<\/b><\/h4>\n
\n
\n<\/span>
\n<\/span>For example, in May 2021 US fuel supplier <\/span>Colonial Pipeline was subject to one of the largest ransomware attacks in history<\/span><\/a>, triggering a fuel crisis in the process. It\u2019s believed the attack began with a simple email phishing scam that managed to extract an employee password.\u00a0<\/span><\/p>\n2. Piggybacking\u00a0<\/b><\/h4>\n
\n
\n<\/span>
\n<\/span>This might sound a bit \u2018low-budget spy thriller\u2019 but the danger is very real. And SMEs, who typically have fewer physical security checks in place, are particularly at risk.<\/span><\/p>\n3. Pretexting<\/b><\/h4>\n
4. Quid pro quo<\/b>\u00a0<\/span><\/h4>\n
What can you do to protect your business?<\/b><\/h3>\n
Education, education, education\u00a0<\/b><\/h4>\n
Create clear cybersecurity policies<\/b><\/h4>\n
Foster a positive cybersecurity culture\u00a0<\/b><\/h4>\n
Check your cybersecurity measures<\/b><\/h4>\n
\n<\/span>
\n<\/span>By having these measures in place and regularly checking them, you should be able to limit the number of attacks that ever reach your staff.\u00a0<\/span><\/p>\n