Social engineering is one of the most devious forms of hacking because no security software can stop it. A social engineering attack can target an individual, and it preys on that person’s trust and lack of knowledge.
How a Typical Social Engineering Attack Works
How might you respond if you answered your office phone and heard this?
“Hey, it’s Bill. I’m the new intern in the IT department, and I’ve just made a huge mistake. I accidentally deleted that project you were working on yesterday while I was defragmenting the file server. I can restore the file, but I need your network password. Can you give it to me?”
Would you tell him “no?” Don’t be so sure. If the call appears to originate from within your office, you may assume it’s legitimate. If you rarely visit the IT department, you may not know whether there’s actually an intern named Bill — and can’t you trust the IT department with your password? You’re busy, and you don’t appreciate the interruption to your work — or the potential loss of an important file. You might give the attacker your password.
Defending Your Company From Social Engineering Attacks
You can’t stop social engineering attacks by installing a new firewall or better security software. What you can do, though, is educate your employees to treat all unusual communication with skepticism. The best way to defend against social engineering attacks is to understand how they work.
These are some of the most common types of attacks:
We described a pretexting attack above. In a pretexting attack, the attacker uses a plausible — but false — story to convince the victim to surrender information.
Phishing attacks are the most common social engineering attacks. A phishing attack is an email, chat message, phone call or malicious website designed to harvest passwords or install malware on the victim’s computer.
A spear phishing attack is a phishing attack that uses information about the victim to gain an advantage. Suppose Bill the intern in the example above actually existed and was a close friend of the victim. In a spear phishing attack, the attacker might approach the victim through an email designed to appear as though it had come from Bill’s email address.
Baiting is leaving a device with malware — such as a USB thumb drive — where someone might find it.
Quid Pro Quo
In a quid pro quo attack, the attacker tries to offer the victim something — such as money or a product — in exchange for a password or other personal information.
Tailgating is the act of following someone to gain entry into a restricted area. In the example above, the attacker might have learned about Bill’s friendship with the victim by telling Bill that he lost his ID card and asking Bill to let him into the office.
Make Your Business More Secure Now
Social engineering is only one of the threats that your company faces in today’s complicated technological landscape. Complete the form or call us now to learn more about how we can help you become more secure.