While most of us believe that cyber attackers would be wary of human intelligence to combat cybercrimes; attackers have a different way of thinking. They sure are aware of security barriers the human intellect creates, but they know they can overcome these barriers by exploiting just one factor- Human Psychology. Essentially, this is known as “Social Engineering.”
What is Social Engineering?
As Kevin Mitnick, renowned security consulted who was once a convicted hacker quotes, “A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”
The idea is to influence or manipulate you into sharing your important business information, passwords or access to essential systems. The attackers find it easier to attack systems by taking advantage of the user’s weakness than breaking into the system.
Social Engineering tactics are aplenty, but we have listed the most common ones that affect an organization invariably.
5 Most Common Social Engineering Tactics
Phishing is the most common identity theft attack. It is said that 91% of cyberattacks start with a phishing e-mail. In this type of attack, the attacker disguises as a trusted entity or personnel and tricks the victim into opening an e-mail or SMS that is spoofed but carries a malicious link. As soon as the victim clicks on the link, malware attacks the system and exposes sensitive information or credentials.
The social engineer tries to take advantage of human curiosity, and they also succeed in doing so. According to a study conducted by The U.S. Department of Homeland Security computer discs and USB drives that were dropped in the parking lots of a government building were picked up (possibly as they were curious to know what is in the drive) and 60% of them were plugged into office systems. The devices are malware-infected and deliver viruses directly into the system once plugged in.
The attacker creates a fictional situation and impersonates someone in power to obtain sensitive information. For instance, an employee may receive a call from the Head of the IT services; the caller may request the employee to provide his details such as job code or system’s password for a corporate audit and the employee may give away his credentials as he knows that audit is a statutory requirement. It is said that successful pretexting attacks have nearly tripled since 2017!
Tailgating- a security breach arising because an employee wanted to be polite or courteous. Today, most organizations provide their employees with access cards that verify their identity and allows them into the office premises. However, an innocent intention of helping an individual without an access card, enter the office premise can be quite disastrous. According to a survey of enterprise security executives, more than 70 percent of the respondents believe they are currently vulnerable to a security breach from tailgating, and over half of the respondents believed the cost of a breach from tailgating to be $150,000 and up to “too high to measure.”
#5 Quid Pro Quo
The social engineer may offer help or compensation in return for some information- this, however, is done subtly. The attacker may pose as a professional offering a free upgrade to the software the employee has been using in exchange for his credentials. The employee knows the benefits he’ll get from the upgraded software and will get enticed into sharing his credentials.
Hence, these are some of the many types of Social Engineering tactics. Therefore, it is imperative for every organization to proactively secure themselves from all sorts of Social Engineering attacks.
Tips to secure your organization
#1 Training and Awareness
Kevin Mitnick’s message is simple: Humans are the weakest link in any security system. Companies need to spend more time training their employees on how to resist such attacks.
The training and awareness session about Social Engineering should give out a clear message- The attackers are “observers.” They observe employee movements, track their social media profiles, and note the behavioral patterns, which again is used to establish trust, enduring them into giving out all the vital business information.
#2 Adopt Zero Trust Mind-Set
The “Never Trust, Always Verify” approach goes a long way in combating Social Engineering attacks. Employees should be extremely vigilant before giving their details over a call, e-mail, or to executives they don’t recognize. If every employee adopts a zero-trust mindset, he/she will automatically start verifying calls, e-mails, and requests at the slightest doubt.
#3 Installing Anti-virus and Anti-malware
This saves an organization from Social Engineering tactics, particularly phishing attacks. Installing good Anti-Virus and Anti-Malware software will keep the organization safe even if an employee clicks on malicious links carrying viruses or malware to infect the organization’s security system.
#4 Deploy an IAM suite
This is the ultimate solution to defend Social Engineering tactics. A comprehensive IAM suite that offers Access Management, Identity Governance and Administration, Privileged Access Management, business to consumer functions, endpoint and mobile management, personalized dashboards, high powered analytics, and business intelligence monitors the essential systems and provides optimal security to the organization from Social Engineering.
According to Gartner, the greatest security risk is Social Engineering. However, if the right security measures and solutions are coupled with employees’ vigilance; any sort of Social Engineering attack will not be able to cause massive damage to the organization’s finances and reputation.