11.10.20

Stop social engineering for better cybersecurity

According to 2019 data from the FBI’s Internet Crime Complaint Center, about 1,300 complaints were filed with the agency each day that year. A substantial portion of these concerns contained some form of social engineering, a tactic that can be deployed online, over the phone or during in-person interactions.

Actors who leverage social engineering techniques work on manipulating individual users

What is social engineering?

A 2019 article from CSO defined social engineering as “the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.” Rather than attempting to force their way in from the outside, actors who leverage social engineering techniques work on manipulating individual users into unwittingly granting them access to spaces that might otherwise be seen as secure.

The key to stopping social engineering: Personal responsibility and a culture of security

The effectiveness of social engineering is that it makes use of human impulses instead of requiring increased technological sophistication. While antivirus applications and sophisticated software engineering can limit and patch vulnerabilities within systems, human operators have a tendency to trust others and may overlook best practices if the right emotional factors are used against them.

Because of this reality, the best cybersecurity efforts have to ensure that they:

Emphasize a culture of security:
It may seem inconvenient at first to always follow cybersecurity best practices, and individuals may worry that they’re not demonstrating enough trust if they raise a red flag after spotting certain suspicious signs. However, it’s important to establish security as a cultural priority. Erring on the side of caution is in everybody’s best interests.

Generate a sense of personal responsibility:
Everybody needs to feel that it’s up to them to help spot and stop social engineering attacks. This is not somebody else’s problem. Some attacks will target key users, while others will use volume to their advantage, hoping that at least one person will slip up and execute an action that’s crucial for the attack to succeed.

Types of social engineering

To spot possible threats and take appropriate precautions, take a look at the following types of social engineering, as reported by Infosec Institute in 2020.

Pretexting: This is a technique whereby the threat actor assumes a different identity in an attempt to build trust with the target. They then request personal information that can be used to access secure systems.

Baiting: During baiting attacks, criminals exploit the target’s curiosity in order to get them to download malicious applications. This may be conducted online or through the distribution of physical items like flash drives. “Quid pro quo” is a variant in which the attacker promises something in exchange for an action undertaken by the user.

Watering holes: In this sophisticated social engineering strategy, the criminal attacks a website frequently visited by members of the targeted group. A page on the third-party website is then altered to upload malicious code to the target’s computer the next time they visit.

Piggybacking: Attackers may attempt to bypass security and gain access by following others through open doors and entryways.

Phishing: The target is asked to visit a URL that redirects to a malicious site. They may also be directed to download disguised malware or hand over important information. Variants include spear-phishing and whaling, which may target specific individuals using more convincing impersonation techniques. Vishing and smishing refer to phishing attempts conducted over voicemail and text messages, respectively.

While you’re doing your part to halt social engineering in its tracks, find out how Total Defense can help you secure your devices today.