What is Social Engineering, and How Can You Prepare Your Workforce?
If you aren’t familiar with the term “social engineering,” you’re not alone. But even if you don’t know what the term means, you certainly are familiar with social engineering tactics.
In this article, we’ll define social engineering and share plenty of examples so you can train your team about what to look for and how to prevent scams from succeeding.
By the time you’re done reading, you should have a good idea of a variety of ways cybercriminals attack businesses of all sizes and which ones would apply to your business, as well as what you need to do about it.
Social Engineering Definition
You’ve seen scenes like this in countless movies and television shows—someone posing as an employee of a corporation so that they can sneak in and steal the information they need to carry out the plot of the rest of the story.
It’s all fun and games in a spy or heist movie, but in real life, businesses fall victim to social engineering attacks like this all the time.
The definition of social engineering is,
“the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
Many scams you’re already familiar with, like phishing and malicious links sent to corporate email addresses, fall under the social engineering umbrella. But there are so many more social engineering techniques. And we’re going to talk about many of them here.
How Does Social Engineering Work?
Just like the definition explains, successful social engineering attacks happen when the attacker can manipulate a person to get sensitive information. Social engineering occurs online and in the physical world.
Whether a social engineer is grabbing account information about your business from a phishing email or walking into your business dressed up as a fake IT professional and walking out with physical media, social engineering attacks rely on deception to obtain information they can profit from.
How Do Most Social Engineering Attacks Happen?
You might be thinking that only a fool could get sucked into a trap set by a social engineer, but the truth is some social engineers are very deceptive and sophisticated. They use familiar logos, brand names, brand styling, images of individuals you’d know, and more to trick even tech-savvy people. And, like it or not, humans are the weakest link in any business’s security measures.
Humans can be tricked and manipulated. That’s why training your staff about social engineering, cybersecurity attacks, and phishing scams is the best way to reduce your risk of a cyber attack.
By and far, the most common social engineering attacks are phishing attacks. And while you’re probably already familiar with the basics of phishing scams and can spot the obvious ones, we want to educate you even more so you can pass it on to your team and protect your business. And we’ll talk about other social engineering techniques too.
Examples of Social Engineering Attacks
There are many types of social engineering attacks, but since phishing attacks are the most common and there several different categories within phishing, we’ll start there.
Of course, someone putting on a fake lab coat and walking out of a hospital with a tablet full of patient information is a far flashier form of social engineering. But the majority of social engineering attacks are as boring as someone clicking on a malicious link in their email or a text.
Let’s get into it.
Phishing attacks are cybersecurity attacks where a social engineer pretends to be a trusted entity to gain usernames and passwords, credit card information, or to get a victim to click on a link that installs malware. But there are many phishing scams to be weary of. Here are the common ones.
Spear phishing is maybe the kind of phishing you’re most familiar with. A user gets an email that looks like it comes from a trusted entity. Spear phishing emails can even look like they come from a government entity like the IRS, or a big brand like Amazon, Google, or Apple.
On top of that, one thing that sets spear phishing apart from other phishing scams is that they’re usually personalized to the victim’s name, creating the illusion that, yes—this email is intended for the recipient.
These emails might say things like, “we need you to head to this website to change your password,” or “something changed in our systems and we need you to verify your billing information.”
This is how the social engineer captures login credentials or bank account information. And they can capture corporate information from your employees just as easily as they can gather personal information.
Angler phishing is becoming more and more common, and happens when a social engineer creates a fake corporate social media account. They may direct message users, presenting them with an offer, trying to extract personal or bank information.
Smishing or SMS Phishing
Smishing is phishing via text message, or SMS message. Similar to spear phishing attacks, these look innocent enough at first, like they’re coming from FedEx, Amazon, or another trusted entity.
A text message feels more personal than an email, like someone wouldn’t have your number unless you gave it to them—which is just not true. So, sometimes people’s guards are down when receiving a phishing attack via text instead of email.
Again, the goal of a text attack is to get you to click a link that will give the attacker access to information on your phone. If your employees use their personal phones for work email, work messaging apps, or any other work tasks, a security threat to their personal phones are security threats to your business.
Vishing or Voice Phishing
Vishing or voice phishing are scams that come by phone call. It’s either a live person, or a bot, and whether you pick up or leave a message, they’re often asking for bank account information or other personal information. And again, they’re most likely pretending to be an entity you would trust.
Access Tailgating or Piggybacking
Tailgating or piggybacking attacks usually have both a physical element and a cyber element—where the attacker uses an in-person trick to gain access to a restricted area, restricted information, or to install malware on corporate hardware.
We mentioned heist movies before, but these types of social engineering attacks really do happen. Social engineers rely on human error, knowing that someone with a corporate ID might be trusted even if they don’t look familiar, or that in the throws of a busy workday, devices can be left unattended and are easy to steal.
Quid Pro Quo Attacks
Quid pro quo attacks are similar to tailgating, but what sets them apart is that the social engineer is actually offering something in return for the sensitive information they’re stealing—and usually, they’re offering technical support.
This doesn’t have to be an in-person attack, either. A common quid pro quo attack involves the social engineer calling random employees at a company and offering to help with an IT problem until they reach someone who actually has a problem. Then, with the login credentials they gather, they can install malware or use that information to access a secure system.
Watering Hole or Water-Holing Attacks
Watering hole attacks are a form of social engineering that targets an industry or a corporation rather than an individual. True to its name, the attacker sets up malicious code at a watering hole—a place on the internet where people from that business frequent. Common websites for water holes are message boards and general interest sites.
To the victim, it may just look like an additional pop-up on a website they go to all the time, so it doesn’t seem suspicious. The common end goal is to infect the victim’s computer with malware.
Social Engineering Attack Prevention
Now that we’ve covered the major types of social engineering, it’s time to discuss prevention. Because human error is the main vulnerability in a social engineering attack, the best way to prevent them is through ongoing training.
Never assume that your employees are savvy about cyber attacks. It’s a company’s job to establish cybersecurity training, both when a new employee is onboarded and ongoing.
Train Your Staff On Psychological Triggers and Other Giveaways
Anyone can fall victim to social engineering attacks, so it’s important to educate your team about the different types of attacks, potentially vulnerable places, and what to look for. After they know about how social engineers work (through email, over the phone, via text message, on a legitimate website, or even in person), it’s time to train them on what to look for.
Check for Odd Looking Links, Strange Email Addresses, and Misspellings
Scammers are trying to quickly create trust, often using brand names that you know, or even pretending to be an individual in your organization. Train your staff to stop and take a closer look when they see any suspicious email or text.
Often the name in the inbox looks familiar, like the name of your bank. But upon clicking the actual email address, you’ll notice a bizarre combination of letters, the brand name misspelled, or something else that looks like a red flag.
Are They Asking for Information They Should Already Have?
Any email, phone call, or text asking for sensitive information that the entity would already have is suspicious. Teach your team to ask for proof of identity or to ignore these types of requests altogether and wait for a follow-up.
A common example of this is the CEO scam, where the scammer pretends to be a wealthy individual or even the CEO of the potential victim’s company, asking for information they should already have, like a social security number. Or they’ll ask for something they definitely wouldn’t need, like for the employee to wire them money.
Is the Scam Creating a Sense of Urgency?
One reason why humans are vulnerable to these types of attacks are the psychological triggers that are used. For example, phishing emails might say things like, “High severity alert has been detected” or “Suspicious log-in activity, please login within an hour to claim your account.”
Again, teach your staff to take a minute when they get these types of emails and ask themselves:
- Does this seem probable?
- What will happen if I don’t follow through?
- Are there any misspellings, odd email addresses used, or anything else out of the ordinary?
- Is this about something unsolicited? (For example, a common smishing attack is to say that you have a UPS package that urgently needs to be claimed. If you aren’t expecting a package, that can be a good indicator of a scam.)
Train your team to return to the original source
Whether it’s an out-of-character or unlikely DM, or an email with an odd request from a friend, teach your team to return to the trusted source for verification. Text or call the friend at their actual phone number to verify. Log into the real Google or Apple website, don’t just follow a link sent to you by email.
Be Savvy, and Hire ABQ-IT to Audit Your Security Systems
A good training program is key, but so are firewalls, antivirus software, and in-person security. At ABQ-IT, we can complete an audit of your systems and come up with solutions to address any vulnerabilities we find. We help businesses of all sizes with their cybersecurity needs, and we’d love to see what we can do to help your business. Awareness is the first step though, so feel free to share this blog with your team as a starting place!