What is social engineering?
As technological defences become more robust, cyber criminals are increasingly using social engineering techniques to exploit the weakest link in the security chain: people.
Social engineers use a variety of means – both online and offline – to con unsuspecting users into compromising their security, transferring money or giving away sensitive information.
According to Proofpoint's 2019 report The Human Factor, 99% of cyber attacks use social engineering techniques to trick users into installing malware.
This page outlines the different types of social engineering threats targeting your organisation and explains how to defend against them.
The most common form of social engineering attack is phishing.
Phishing attacks exploit human error to harvest credentials or spread malware, usually via infected email attachments or links to malicious websites.
Types of phishing attack include:
Phishing attacks carried out via spoof customer service accounts on social media.
BEC (business email compromise)
Emails purporting to be from senior members of staff.
Redirecting web traffic from legitimate sites to malicious clones.
Phishing attacks targeting specific organisations or individuals.
Other types of social engineering
There are more than phishing attacks to watch out for, however. Other social engineering tactics include:
Enticing victims into inadvertently compromising their security, for example by offering free giveaways or distributing infected devices.
Offline, diversion thefts involve intercepting deliveries by persuading couriers to go to the wrong location. Online, they involve stealing confidential information by persuading victims to send it to the wrong recipient.
Attackers pretend to be romantically or sexually interested in the victim to persuade them to yield sensitive information or money.
Text messages that purport to be from legitimate entities are often used in combination with other techniques to bypass 2FA (two-factor authentication). They might also direct victims to malicious websites on their phones.
An early stage of more complex social engineering attacks, in which the con artist gains a victim’s trust, typically by creating a backstory that makes them sound trustworthy.
Quid pro quo
Quid pro quo attacks rely on people’s sense of reciprocity, with attackers offering something in exchange for information. (In Latin, ‘quid pro quo’ means ‘something for something’.)
A form of malicious software – usually in the form of a pop-up that warns that your security software is out of date or that malicious content has been detected on your machine – that fools victims into visiting malicious websites or buying worthless products.
A physical security attack that involves an attacker following someone into a secure or restricted area, for instance while claiming to have mislaid their pass.
A form of targeted social engineering attack that uses the phone. Types of vishing attack include recorded messages telling recipients their bank accounts have been compromised. Victims are then prompted to enter their details via their phone’s keypad, thereby giving access to their accounts.
Watering hole attacks work by infecting websites that a target group is known to frequent. For instance, 2017’s NotPetya infection – believed to be a politically motivated attack against Ukraine – infected a Ukrainian government website and then spread through the country’s infrastructure.
419/Nigerian prince/advance fee scams
These cons involve scammers asking victims to supply their bank details or a fee to help them transfer money out of their country. They originated in Nigeria and the number 419 refers to the section of Nigeria’s Criminal Code that bans the practice.
How to defend against social engineering attacks
Mitigating the threat of social engineering is a critical component of all cyber security programmes.
It requires a multi-layered approach that combines staff training with technological defences, so that your employees can recognise and report social engineering attacks, and any successful attacks do as little damage as possible.
There are four essentials that your social engineering defences should cover:
1. A positive security culture
If you or your staff fall victim to a social engineering attack, your security team will need to act quickly to contain it. Your corporate culture must therefore encourage victims to report incidents as soon as possible.
The last thing you want is a malware infection that dwells on your system for months because the person who inadvertently caused it kept quiet for fear of getting into trouble.
2. Train your staff to learn the psychological triggers and other giveaways
Social engineering attacks are not always easy to detect, so it is important to understand the tactics they use, such as:
- Masquerading as trusted entities, like familiar brands or people;
- Creating a false sense of urgency to confuse victims, often by provoking them into a state of fear or excitement so they act quickly without thinking properly; and
- Taking advantage of people’s natural curiosity, sense of indebtedness or conditioned responses to authority.
You should train your staff to:
- Be suspicious of unsolicited communications and unknown people;
- Check whether emails genuinely come from their stated recipient (double-check senders’ names and look out for giveaways such as spelling errors and other illiteracies);
- Avoid opening suspicious email attachments;
- Think before providing sensitive information;
- Check websites’ security before submitting information, even if they seem legitimate; and
- Pay attention to URLs, and ‘typosquatting’ (sites that look genuine but whose web addresses are subtly different from the legitimate site they imitate).
Find out more about our cyber security staff awareness solutions >>
3. Test the effectiveness of the training
Training your staff should not be a one-off event. You should regularly test the effectiveness of the training and redeploy it as necessary.
For example, a simulated phishing attack – in which your staff are targeted by controlled phishing attempts – will show you how susceptible they are and how much your organisation is therefore at risk. With this information, you can retrain those who need it most, reducing your exposure.
Learn more about implementing an effective staff awareness programme >>
4. Implement technological cyber security measures
As well as training and testing your staff, you should, of course, implement technological cyber security measures – including firewalls, antivirus and anti-malware, patch management and penetration testing, and access management policies.
This will help limit the number of attacks reaching your staff and minimise the damage from any successful attacks.
Learn more about cyber security >>
We can help you mitigate the risk of social engineering
IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our range of staff awareness e-learning courses and social engineering solutions: