There are so many cyber-attack methods to be aware of now including cracking passwords, hacking computers and exploiting software. However, when businesses are trying to increase their security, social engineering attacks are often not given enough attention.
Social engineering is the art of manipulating people, rather than traditional hacking techniques, to gain access to data or systems. Typically, these attacks are more effective as it is easier to find vulnerabilities in people than it is in software and networks. Firstly, the cybercriminal will perform research on the targeted businesses or employees. They are then able to formulate an effective attack by deceiving the victim to gain malicious access to their system.
Common Social Engineering Attacks
Phishing is a type of online scam where criminals impersonate legitimate organisations via email, text message, or other means to steal sensitive information. For instance, you might receive an email from what appears to be your bank. They claim that your account’s been compromised, so you need to change your password. This seems legitimate so you click on the link to reset your password and create a new one. However, the link actually leads to a fake website the cybercriminals created. So, when you enter your existing credentials, the information you provide goes straight to the crooks behind the scam. This same template can apply with any system which requires users to log in with their personal credentials.
Baiting is the process of tempting a victim into a trap that compromises a network or a user’s personal data. The trap may promise a digital good to entice the victim, however it is more common to use a physical item such as a USB stick. This will usually be labelled as ‘confidential’ or ‘private’ to pique the interest of a potential victim. After the USB has been connected to a computer it will run malicious code and allow the hacker to remote access.
A method of social engineering whereby the scammer attempts to convince the victim to share valuable information to gain access to a network or system. Usually, the attacker will identify as a C-level executive and ask for login details as they have forgotten theirs.
A watering hole attack is a malware attack in which the attacker observes the websites often visited by a victim or a particular group, and infects those sites with malware. This is also a method of supply chain compromise as it uses the prior research to compromise a third party to breach the actual target.
How to protect against social engineering attacks
Social engineering attacks rely on human interaction. The best practice of preventing them is through educating employees and building a strong security culture. For phishing, baiting and pretexting, employees should have a level of awareness in how to mitigate the risk of an attack. Additionally, they should have a level of understanding to notice and report an attempted attack before it is too late.
It can be difficult protecting yourself against watering hole attacks as it is a third-party website that is infected. That being said, if a business keeps their software and operating systems up to date with regular patches, it greatly decreases the chance of the malware compromising a system. Similarly, Mimecast uses AI to run internal phishing tests ensuring employees notice phishing attempts, further strengthening an organisations security culture.
Get in touch today to find out more!