In today’s day and age there are 1000’s of buzz words and acronyms in the IT world, “Did you update the MX DNS record so that the SMTP server can relay correctly?”, “Is your next-gen Anti-Virus product EDR, MDR, or XDR?”, “How does your CDN mitigate DDoS attacks?”. Riveting conversation for the everyday person, right?
What if I told you that 98% of attacks were due to simple exploitation of trust or authority and that 70% of data breaches start from that exploitation? In the security world, it is called Social Engineering.
Social Engineering Methods
Social Engineering simply put is the act of tricking users into divulging sensitive information through influence and persuasion.
All social engineering attacks fall into one of six categories:
- Reciprocity – “You scratch my back, I’ll scratch yours.”
- Commitment – “We previously agreed to this, now I need you to take action.”
- Social Proof – “Everyone else is doing it.”
- Authority – “Consequences will happen if it’s not done.”
- Liking – “We are friends, I need you to take action.”
- Scarcity – “It’s available for a limited time, you need to act quickly.”
Social engineering attacks come in many forms…
…but in the end, the goal is to acquire sensitive information. It can be through email (phishing/spear phishing), phone calls (vishing), text messaging (smishing), baiting, scareware, or pretexting.
- Phishing – This is the most common method for social engineering. This is the act of sending an unsolicited email to a user prompting action. You may receive an email from “Your IT Team” prompting you to update your password by clicking this convenient link. You could have won the lottery and all you need to do is enter your information to claim it. Never trust those Nigerian princes wanting to share their wealth with you.
- Spear Phishing – This is a deviation of phishing but is more targeted. An attacker will send a very targeted email to a user with details specifically related to the person, company, or role. The goal of this type of attack is to compromise a high-value target.
- Vishing – A variation of phishing but over the phone. An attacker will call a user and request information posing as a trusted person or authority.
- Smishing – Another variation of phishing where an attacker will send crafted text messages prompting access to a “trusted” site. This is common in bank account compromises.
- Baiting – An attacker will provide bait to a user to pique their curiosity or greed. This is often done through malicious USBs or enticing advertisements. The end goal is to compromise a device through non-direct methods.
- Scareware – This involves bombarding a user with prompts of compromise in a browser or email. The attacker will pose as a trusted authority, Microsoft, Apple, or your IT team, requesting you to call a number to resolve the issue.
- Pretexting – An attacker will contact a user posing as a co-worker, person of authority, or trusted entity through crafted lies to gather information or divulge the user’s identity. It is common to gather social security numbers, addresses, phone numbers, vacation schedules, and other company information.
Your organization will never be able to stop a social engineering attempt but there are many ways to make sure it is not successful
- User Training: This is one of the best ways to stop a social engineer from successfully acquiring information. If a user is trained to recognize an attack, they are less likely to fall for it.
- Be suspicious: If an entity is requesting you to do something, ask questions and verify your identity before divulging information. This could be as simple as calling the user back on a known phone number or discussing the item in person. Don’t open attachments in emails if you are not sure who sent them. If the offer is too good to be true, it probably is.
- Antivirus/Antimalware: Keeping your antivirus/antimalware up to date and set to automatic updates will make sure if you accidentally open a malicious document, it will act on that file.
- Multifactor Authentication: In the event of an attacker getting your username and password it is best practice to have Multifactor on all accounts. Having MFA greatly decreases the likelihood that an attacker will be able to gain access to your account. If you ever get an unexpected call/text/notification report it to your IT team as soon as possible. This is an indication that someone knows your password.