Any cybersecurity expert will tell you: it doesn’t matter how many locks you have on the door, if someone lets an attack inside. In fact, social engineering attacks account for 33% of data breaches, reported the 2019 Data Breach Investigations Report by Verizon. The goal of social engineering is to manipulate you to let them into the network, so they can infect it with malware or comb your data for valuable information.
Before we can dive into the top 10 social engineering tactics, we have to answer the question: what is social engineering?
What Is Social Engineering?
Social engineering uses psychology to manipulate your most vulnerable cybersecurity element — the human. Social engineers target your emotions and relationships to gain access to valuable information and your network. These can be one-off attacks, or some social engineers take the time to formulate relationships with their victim making them even more dangerous.
Social engineering often takes less time than automated software. Getting a human to reply with a password or click a link takes minutes, while trying to crack a password that follows the most up to date security measures can take years.
Oftentimes social engineers will combine more than one tactic for a single attack, which makes it even trickier and more important to identify a social engineering attack. For example, the September 2019 Dallas County Courthouse break-in, the social engineers used tailgating and baiting to gain access to the network.
The Most Common Social Engineering Tactics
1) Phishing & Spear Phishing
Phishing is probably a cyber attack you have heard of before. It is an email that impersonates a trusted source to get you to take an action, like click a link or reply with confidential information.
Can your employees identify a fake invoice from a real one? Learn about the most common phishing scams in this article.
Social engineers often use spear phishing tactics to trick employees. Spear phishing are highly targeted phishing attacks. Instead of sending a phishing email to one hundred recipients, spear phishing emails are sent to one person or a very small group of people. These attackers research specific information about you and your company to appear like a trustworthy source to manipulate their victim.
Pretexting is usually paired with spear phishing as the attention-getter. It’s a tactic that builds a compelling context or pretext around the social engineering scenario. An email from your “boss” is a common pretext scenario.
Pretext is important to social engineers. It is how they manipulate people into making mistakes and giving up valuable information.
Baiting is a social engineering tactic with the goal of capturing your attention. Baiting can be found in search results, social media or emails. For businesses, baiting often comes across as a request for help. During the baiting attempt, victims are asked to verify company credentials and confidential information. This information can lay the foundation for future interactions with the social engineer.
Another form of baiting is more physical. Social engineers have been known to leave a USB somewhere at their target company. The label is appealing to employees, like “2020 Raises.” This tempts your employees to pick it up and plug it in, allowing the social engineer to have an entry point into your network.
4) Email Hacking
The goal for email hacking is to gain access to your emails and contacts. This social engineering tactic opens the door of using the email address to spread malware and obtain valuable information.
5) Quid Pro Quo
The quid pro quo tactic always appears like an equal exchange of information—the classic “You’ll scratch my back; I’ll scratch yours” — but when it comes to social engineering, it is not equal. Social engineers craft their proposals to benefit them and their goal in gaining information to infiltrate your business.
6) Phones & Vishing
Phones are vulnerable to vishing (voice phishing) and texting phone scams. Vishing is a phone scam that pretends to be a trusted authority to get exploitable information, like the IRS phone scare that comes around tax season each year. Social engineers are clever. They can mimic recognizable phone numbers and caller ID names to gain trust.
Some social engineers are strategic and use out of office replies to research and call your business:
Hi Dan, I hope Erica is enjoying her vacation in the Bahamas. Since she won’t be back until July 31st, she directed me to you to answer my questions.
A simple opening is all a good social engineer needs to appear to be a credible source.
And those are just phone call examples of social engineering!
Social engineers are even using texting. Texting is more and more integrated into technology. Social engineers are using texts to send phishing links to open the door into your network.
Tailgating involves more than one person, piggybacking off of resources to appear like a credible source. For example, a social engineer will call someone, who they know does not have the proper authority to answer their question, and the employee will transfer them to someone who can. This transfer makes the social engineer look trustworthy.
Like baiting, tailgating isn’t limited to the virtual world. An easy way social engineers gain access to a physical, internal network is by conversing with an employee and following them into the building without swiping a keycard. This gives them easy access to the entire building, including your serves and computers.
8) Social Media
Social media is a social engineering tool. Social engineers create bogus profiles which impersonate celebrities or trickier your friends and family. They often take advantage of data breaches to accomplish identity theft.
9) Rogue Security
Social engineering uses every trick to gain access to your network, including rogue security. Rogue security is a form of malware which impersonates a fake or simulated anti-spyware or security scanner. It tricks you into believing you are getting protection, when in fact you are infecting your network with malware and the social engineer is stealing your data.
It is possible to protect yourself against a rogue security attack. Knowledge is power. Understanding who your anti-virus provider is and how often updates occur can protect you and your company from falling victim to a rogue security attack. At Access Systems, we verify updates that go out to our network and clients on a regular schedule. So, you know they are not rogue security pop-ups.
10) Emergency Language
To make you fall for social engineering, attackers will use emergency language. They use words or phrases like:
- If you do not respond
- This is your last chance
- Respond now
These words make you act first and think second, because no one wants to get in trouble or miss an opportunity. It manipulates you to make rush decisions.
Social engineering attacks also are impacted by the time of year or regional events. Natural disasters and health scares usually bring out a surge of insurance fraud attacks and political elections are prime targets for fake donations.
Protect Yourself Against Social Engineering Attacks
While social engineering attacks are clever, there are ways to protect yourself and your business. One sure fire way is to train your employees on how to identify cyber threats. As we mentioned earlier, it doesn’t matter if you have the most advanced technology guarding your network, when an employee opens the door for a cyber attacker. Training your employees decreases the risk to your business.
At Access Systems, we offer cybersecurity training on all kinds of cyber threats including social engineering attacks.
Another way to protect your business is to have a strong cybersecurity policy. Oftentimes employees react, because they don’t know what to do. Providing a policy that everyone follows and understands completes the decision-making process that causes trouble for your business.
Follow this easy guide to create your cybersecurity policy, or speak with Access about our virtual CIO offerings. Our virtual CIO works as an adviser to your business; so, you have the best IT to fit your business.
Are you sure you have every cybersecurity feature in place to protect your business? Maybe it’s time for an IT assessment. Check out the 5 benefits of an IT Assessment or give us a call today to talk to one of our IT expects!