Working within the technology industry means we’re reminded every day just how important it is to remain vigilant to threats like social engineering. So, we’ve put together a list of social engineering methods and tips on how to prevent these attacks to help you think before you click.
What is social engineering?
Social engineering is the term used for a broad range of attacks that all aim to access sensitive information by psychologically manipulating people into providing their confidential information or making security mistakes.
It has become an extremely popular cyber attack method as social engineering methods are the easiest for attackers to use and the set-up cost is low. It also doesn’t require much technical skill as there are free toolkits available that create the materials attackers need to perform malicious activities.
Many researchers have stated that humans are the weakest link in the security chain – it’s much simpler to manipulate a person into granting access to systems and information than it is to bypass firewalls or other security defences.
We’re only human = we can get tired, lose concentration, become rushed, and make mistakes. All these things make it easier for a social engineer to trick or scam a person. Social engineers are very good at using psychology and how humans behave and interact with one another to meet their goals. These psychological manipulations include building trust, creating a false sense of urgency and obedience to authority.
What are the social engineering attack techniques?
There are many social engineering attack techniques out there, but here’s a summary of common social engineering examples:
Phishing
Phishing is when an attacker attempts to trick someone into visiting or downloading malicious content or providing credentials and other sensitive information.
There are variants of phishing, each with similar names. However, the term phishing is mostly used to describe attacks that are conducted through emails. In this type of attack, many emails are sent to all types of businesses, big and small, in the hope that as many people as possible open them. Phishing attacks are one of the biggest cyber security threats to organisations.
Spear phishing
Spear phishing is a phishing email that has been targeted at a specific individual or department within an organisation that appears to be from a trusted source. An attacker will identify what data they want to access, and which employees could have access to it. They then tailor a spear phishing email to the victim and will often use information from public platforms, such as LinkedIn, to do so.
Whaling
Whaling is another common variation of phishing that specifically targets top-level business executives and heads of government agencies. Whaling attacks usually spoof the email addresses of other high-ranking people in the company or agency and contain urgent messaging about a fake emergency or time-sensitive opportunity. Successful whaling attacks can expose a lot of confidential, sensitive information due to the high-level network access these executives and directors have.
Vishing
The term Vishing refers to a phishing attack using voice calls. In this attack vector, an attacker uses phone numbers obtained through reconnaissance, data leaks and social engineering attacks and calls a victim pretending to be from a legitimate organisation. Attackers will target sensitive information that can lead to a data, network, or financial breach.
Baiting
As the name suggests, baiting lures victims by piquing their curiosity or greed. The most common form of baiting is using physical media such as USB drives, flash drives and CDs which are rigged with malware. These are left in conspicuous areas and often made more tempting to pick up for victims by being labelled as ‘confidential’.
Victims then take the bait and insert it into their personal or professional computers, resulting in the automatic download of malware onto their systems. Baiting can also take the form of enticing adverts or online forms, encouraging you to click links or download infected applications.
Smishing
A form of Phishing attack that uses text messages (SMS) containing malicious links to fake websites pretending to be sent from a legitimate source.
Quishing
This is another variant of a Phishing attack, using QR codes to lure victims into revealing sensitive information. These QR codes can automatically download malware to the victim’s device.
Tailgating
Tailgating is a simple, non-technical social engineering tactic whereby an attacker will try to gain unauthorised access to a building or area by following someone through a door which that person has just opened.
Dumpster Diving
This is when attackers retrieve information from waste or refuse areas to obtain confidential documents, stored passwords, and other sensitive information. Even if files have been deleted, attackers can still retrieve information using specialist software.
Social engineering facts and figures
The Cyber Security Breaches Survey 2023 found that 32% of UK businesses reported one or more cyber attacks within the past year, with large businesses and high-income charities taking the biggest hit of attempts.
UK government guidance advises various cyber hygiene practices, such as cloud back-ups, malware protection, firewalls, and restricted admin rights, to protect businesses from cyber threats. Over the past three years, cyber hygiene has been declining across the UK:
Impact of social engineering
The impact of a social engineering attack can be huge. On a personal level, you could have your most private pictures and messages stolen and leaked online or your credit/debit card details sold on the dark web and be financially affected. From a business perspective, you may be held accountable for any actions you have been manipulated into doing which has led to a data breach or unauthorised access to systems or assets.
A social engineering attack can cause reputational damage to a business which can lead to a loss of business and profits. Furthermore, businesses can be fined extraordinary amounts of money which may lead to redundancy or closure in the future.
How to prevent social engineering
Think before you click – social engineering tactics create a sense of urgency to increase the likelihood of you falling for their tricks. But take your time, break the loop, and follow the tips coming up next before you act.
Check out the source – always check the domains of the sender to see if they are real (don’t do this by clicking links, just hover your cursor and this will show the link address). Spelling mistakes within messages or email addresses are a big red flag.
Secure your devices – keeping your device’s software up to date is an important step in preventing cyber security attacks. Also set up two-factor authentication on all the accounts you can.
Switch up your passwords – using the same password across multiple accounts is a no-go. It’s bad enough for a hacker to access one account, let alone multiple.
Staying a step ahead of social engineering tricks isn’t just a blog topic, it’s a commitment that we, Calrom, take seriously to protect our digital security. Join us in staying vigilant by following our top tips to prevent social engineering.
