In the digital security world, social engineering is defined as the act of tricking someone into doing something that is often detrimental to themselves or others.
Social engineering attacks can come in many forms: over the web, email, phone, postal mail or even in person. Attackers can be very creative in how they disguise a malicious request into a seemingly legitimate call to action. And these attacks have proven to be a very effective way for a criminal to get inside your organization.
A successful social engineering attack typically results in a hacker obtaining an individual’s trusted credentials to one or more systems. They can use those credentials to log in and snoop around for sensitive data or cause havoc in the digital network.
Some of the more popular social engineering attacks include:
Phishing emails or web sites are set up to fool a user into using their logon credentials to attempt to log into what appears to a trusted site (bank, credit card portal, etc). The ‘fake’ site then captures those credentials which then can be used to maliciously access the real site equivalents.
Over the Phone
Hackers utilize phone-based attacks by posing as representatives of tech support, customer assistance or any number of other groups to obtain login credentials under the guise of helping the individual with a ‘problem’. Often that problem is represented as a malware program that may have infected the recipient’s computer or an issue with their bank account or credit card.
Another popular phone-based attack vector is a hacker posing as a debt collector, tax agency or even law enforcement in an attempt to fool the recipient into sending money.
Social Network Harvesting
A more recent social engineering attack is accomplished via setting up ‘fake’ social network app or page (Facebook, LinkedIn, etc). that is designed to target people who are interested in a particular subject, storyline or individual. Many celebrity fan sites, for example, are set up for this very purpose.
The attacker is then able to access the individual’s contacts and other information that allows them to build out a network of potentially favorable targets.
Social engineering attacks are always evolving, so it is critical for an organization to implement an awareness training program that is maintained as new threats evolve. Education is key in helping to ensure that employees recognize these threats and don’t ‘click that link’.
In our next post we’ll discuss some other methods of combatting social engineering…
Be sure to join us on Thursday November 8th at 1 PM CST for our UPCOMING security webinar, PeopleSoft & Social Engineering Attacks: Common Techniques & How to Prevent Them.