Social engineering fraud is deceiving people to divulge sought-after information to commit fraud, identity theft, access a secured network, determine trade secrets, sales and marketing plans, customer and supplier information, financial data, or simply disrupt business operations.
Social engineering is more effective than any hacking method because it relies on human error rather than finding and exploiting vulnerabilities in computer systems. It typically happens through email, text messages, online chat and phone calls.
With advancements in technology and
systems in place, hackers
can’t break into systems easily. That’s why they target the weakest link in the security chain – the user. It’s much easier to trick someone into providing confidential information such as passwords, bank information and credit card numbers.
The world’s most notorious hacker, Kevin Mitnick, helped popularise the term ‘social engineering’ in the 90s with his book “The Art of Deception”. It contains real stories on why attacks are successful and how to prevent them.
Types Of Social Engineering Attacks
Hackers use different social engineering tactics to manipulate their target depending on how they implement the attack. For example, they may use email, web, phone, USB drives, or other means. So, here are the some of the social engineering tactics:
There are two major types of Social Engineering attack – remote or in-person.
1. Remote Attacks (Phishing)
Phishing is one of the most popular social engineering tactics attackers use to get sensitive information from their target. It’s usually via email, text messages and phone calls.
– Email Attacks
Attackers send a well-crafted email with a deceptive subject line to trick the recipient into believing the email is from a trusted source. The email may contain seemingly legitimate documents, logos, contact details or a link to a cloned website to trick their target. The attack aims to create a sense of urgency and immediate action from the user. For example, you may receive an email prompting a password change or invoice for payment, which sends the attacker information or money once submitted.
– Phone Call Attacks (Vishing)
A social engineer who attacks over the phone, often called “vishing” for voice phishing, usually pretends to be someone, e.g., an account holder, business partner, staff or a trusted provider of your organisation. They typically gather necessary background information before making the call to avoid suspicion.
– Spear Phishing
Spear Phishing has the highest success rate. For example, the attacker sends a personalised spear phishing email or calls the target based on their job title or technical skills. The attacker may pretend to be a colleague within the organisation or an IT consultant who coerces the target for confidential information. Spear phishing attacks require months of preparation, making them harder to detect.
Scareware manipulates users through fear by deceiving the target with notifications of a malware infection. It suggests the user buy or download a fake antivirus software to get rid of it. However, the antivirus is a potentially dangerous software that can steal your personal information once installed. It’s common to encounter this type of social engineering attack while browsing the internet or via email. Rogue security software and crypto miner lock are two of the most popular scareware tactics cybercriminals use.
2. In-Person/Onsite Attacks
In-person social engineering techniques are less common than remote attacks. Yet, they’re very effective because businesses usually focus on IT security, not physical threats.
– Shoulder Surfing
Shoulder surfing is a physical social engineering attack that uses direct observation techniques to steal information. The attacker stands beside someone and watches them enter their login credentials or PIN at an ATM.
Tailgating is another onsite social engineering technique used by attackers seeking entry to restricted areas where biometrics, RFID cards, or any electronic access control is present. The attacker waits for the perfect opportunity to walk in behind an authorised person or determines when the next scheduled maintenance may be and arrives dressed like one to get past the front desk successfully.
– Key Loggers
Hardware and network devices often need technical services, so hackers usually take this opportunity. They may impersonate a third-party onsite tech support and install a key logger on shared computer systems to obtain usernames and passwords. It provides the hacker with access rights to control the workstations remotely.
Baiting is the equivalent of a Trojan horse in social engineering. The attacker will leave a malware-infected flash drive in a public place, hoping someone will pick it up and plug it into their computers. Distributed USBs are usually labelled as “Confidential” or “Salary info” to entice the victim to use it, giving access rights to the hacker once opened. Hackers also use online baiting to attract their target with free goods in exchange for personal information.
How To Prevent Social Engineering Attacks
- Educate everyone in your organisation about social engineering techniques by providing adequate training and seminars.
- Review company policies and processes for handling transactions and essential business activities to ensure standard operating procedures are followed.
- Set your spam filter high and periodically monitor the spam folder for essential emails that may be caught accidentally.
- Verify the sender’s email address and treat unsolicited emails as suspicious.
- Increase the security of your devices by installing system updates and keeping your antivirus software updated.
- Enable Multi-factor authentication (MFA), Two-factor authentication (2FA) or two-step verification on your online accounts for an additional layer of security.
- Always check if you’re accessing the correct website URL. Online banking websites use extended validation SSL to prove the legal entity of the website.
- Email or text messages with instructions on claiming your prize or money from an unknown relative are likely scams.
- Download files only from trusted websites and constantly scan files using your updated antivirus. File attachments from unsolicited emails are potentially dangerous.
- Be wary of any tempting offers online, such as free giveaways.
- Be aware of your surroundings for possible onsite attacks.
Social engineering can target anyone. The size or industry of your business doesn’t matter. A risk is always involved when your information is available on websites or social media platforms.
Protect your business by educating your team on social engineering and the tactics used to manage your risk exposure.
Contact Clear Insurance today to learn more about protecting your business from social engineering risk.
General Advice Warning: This advice is general and does not take into account your objectives, financial situation or needs. You should consider whether the advice is appropriate for you and your personal circumstances. Before you make any decision about whether to acquire a certain product, you should obtain and read the relevant product disclosure statement.
Clear Insurance Pty Ltd. ABN 41 601 916 689. AFSL No. 548953.