Credit to Webroot Cybersecurity Resources, Techtarget and Stickerman Cyber articles
Social engineering is the art of manipulating people so they give up confidential information. Criminals use social engineering tactics because it is easier to fool someone into giving you their password than try hacking their password. It is also easier to exploit your natural inclination to trust rather than discover ways to hack your computer.
The weakest link in the security chain is the human who accepts a person or scenario at face value. If you trust the person at the gate who says he is the pizza delivery guy, you are completely exposed to whatever risk he represents. Security is all about knowing who and what to trust.
How does social engineering work?
Social engineers are hackers who study their targets and design an attack based on the information they learn about them. One common tactic of social engineers is to focus on the behaviours and patterns of low-level employees. Another is to scan social media profiles for personal information and study their behavior online and in person.
The four vectors of social engineering attacks
1. Phishing. A type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.
2. Impersonation. Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email.
3. Vishing. Vishing is the phone's version of email phishing and uses automated voice messages to steal confidential information. Attackers commonly use IVR technology to convince victims.
4. Smishing. The act of using SMS text messaging to lure victims into a specific course of action.
Stages of Social Engineering
Reconnaissance: this is when the attacker gathers information on their victim, information like interests and personal details.
Engagement: this stage consists of the attacker contacting the victim via email, phone, social media or even in person.
Attack: this is when the attacker tries to collect the desired information from the victim.
Escape: the attacker having retrieved the information or gained access to the employee’s or organization’s systems, quietly retreats access to the employee’s or organization’s systems, without alerting suspicion.
Preventing social engineering
There are a number of strategies companies can take to prevent social engineering attacks, including the following:
Training of employees - make sure employees are adequately trained to identify social engineering attempts
Establish frameworks - establish an understanding and level of trust amongst employees on the handling of sensitive information
Organizing Information - organize and understand the sensitivity of information and ensure adequate security is in place to protect information depending on its sensitivity.
Security Policies & Protocols - Establishing security protocols, policies, and procedures for handling sensitive information.
Testing - apart from training employees on how to identify social engineering attempts, it is important that information security awareness is tested. A great way of ensuring no one in your organization falls prey to social engineering, is to expose employees to similar attempts designed to test their knowledge on security protocols and procedures when met with a social engineering tactic.
Social engineering attacks on businesses are on the rise as most employees are never aware of the methods and tactics used by hackers, and cannot identify if they are falling victims to it. Attending our Cyber Threat Detection & Response Skills For Non-Cybersecurity Employees Training Workshop will definitely equipped and help your employees to recognise such attempts, and prevent social engineering attacks.