What is social engineering? Social engineering is a technique used by attackers to gain sensitive information by deceiving privileged users into revealing information that compromises data security. People will often refer to social engineering as ‘people hacking’. Humans have a trusting nature to them which attackers maliciously use to their advantage. While traditional hacking aims to compromise the security settings of IT systems and applications, social engineering attacks attempt to exploit the users of these technologies.
Social Engineering Relies On:
Peoples Willingness to Help Others
Carelessness about Protecting Sensitive Information
Why Do Attackers Use Social Engineering?
Attackers use social engineering techniques because it is usually the cheapest and easiest way to obtain information. The defenses that we have setup to protect us from malware and viruses will not protect us from a social engineering attack. Skilled social engineers will often perform their attacks slowly over time as to not raise suspicion.
Once they gather bits and pieces of the organization they will be able to put the puzzle together and exploit the business. Attackers also use social engineering techniques because they are less complex than hacking technologies controls such as firewall/AV. It is important to test your business against social engineering attacks to prevent any breaches. Companies, such as GraVoc, help test, train and prepare businesses for different types of social engineering attacks.
Different Types of Social Engineering:
There are many different social engineering techniques that hackers will use to trick their victims. Some of these techniques include phishing attacks, physical breach, pretext calling and pretext mailing. Social engineers can claim to be employees, vendors or support personnel to try and trick workers.
Sometimes social engineers even act as a confident manager or executive to try and gain sensitive information. Skilled social engineers are extremely good at adapting to their audience. Below are some of the different types of social engineering techniques that are used by attackers.
Phishing emails are usually the most successful form of social engineering. This is where hackers will send out fake emails to their victims in hopes of gaining sensitive information. Phishing emails can also contain malicious links that lead to malware infections.
This type of social engineering technique is where the attacker dresses up to fool an individual. Attackers can impersonate a cable provider such as Verizon or Comcast to try and trick the individual to giving them access to secure locations.
Pretext Calling is when an attacker makes up a scenario to obtain the information that they need. Pretext Calling often requires trust to be formed between the attacker and the victim.
Tips to Avoid Social Engineering Attacks:
One of the best tips to avoiding social engineers attacks is to stay alert and prepared. If you run a business, it is important to treat security awareness and training as an investment. Being prepared means that everyone follows safe security measures in the event of an attack. Creating a strong security policy is recommended to ensure the safety of your data.
Along with being prepared, below are a few simple tips to help keep you safe from social engineering attacks. If your business or organization is looking to simulate a targeted attack, check out our Social Engineering Testing Services!
- Be cautious when sharing personal information on social media platforms
- Never open an email that looks suspicious
- Never let a stranger connect to your wireless network
- Don’t give strangers personal information until you can fully trust them and verify where they are calling from
- Review security policies to stay up-to-date with the latest social engineering techniques
- Use paper shredder to properly dispose of your printed material
GraVoc Security Consultant, Josh Jenkins, shows you the Art of Website Cloning and how hackers can clone websites for their own malicious purposes.
In our second episode of How Do Hackers Do Things, GraVoc Security Consultant, Josh, shows you how hackers harvest email addresses for malicious purposes.
The New York State Department of Financial Services (DFS) released guidance on a cyber fraud campaign targeting websites that collect non-public information (NPI).