If you’re a systems administrator, you may think your daily task list involves installing security tools, configuring them to protect the latest threats, patching servers and endpoints, and reimaging systems when they get a virus. It’s not a simple job, but its straightforward.
If you’re doing all that, however, you’re still only doing half your job.
Some of the most effective cyber attacks aren’t targeted at hardware or software — they’re targeted at people. Social engineering attacks often involve no more than a telephone or email address.
And because humans are more capable of making mistakes than software such as antivirus programs, these kinds of attacks are common. We’ll show you how you can protect against them in the future.
What Is a Social Engineering Attack?
Social engineering is a form of manipulation where attackers imitate a trusted source in order to convince people to perform certain tasks, such as grant access to a computer or account, or disclose confidential information, such as passwords.
Cybercriminals use a variety of techniques to trick unsuspecting individuals into opening malicious links, downloading infected attachments, or visiting compromised websites in an effort to directly steal banking credentials, network logins, and intellectual property, or even gain administrative access to launch larger campaigns.
Attackers know that something as simple as a convincing call or email could give them login credentials that lead to footholds in business networks or the means to lucrative identity theft.
It works like this: First, an attacker will call or email a support desk and impersonate their target. They’ll say that they’ve forgotten their password, and they’ll usually concoct a believable story around this.
They’ll convince a customer service representative to change the target’s registered email address to an address belonging to the attacker, and then have a password reset token sent to that address. With that, the attacker will have complete access to the target’s account.
What Are Social Engineering Techniques to Look Out for?
The most common form of social engineering is phishing. Attackers launch phishing scams that use cleverly crafted emails to capture personal information using malicious URLs or attachments and by creating a sense of urgency for victims to respond.
However, not every attacker is going to conduct social engineering by pretending to be an authority figure, customer service rep, or other trusted source.
You also have to beware lesser-known social engineering techniques, including:
- Pretexting: Attackers using this technique create a fake scenario and reason for needing the personal information of victims. In many cases, scammers will pretend there’s a reason they need small amounts of personal information to confirm a victim’s identity. While phishing relies on fear and urgency, pretexting aims to create a deeper sense of trust between the attacker and victim.
- Baiting: For the most part, baiting follows the same principles as a phishing campaign. However, phishing aims to trick attackers into interacting with malicious links and entering login credentials whereas baiting promises the victim a reward. For example, an attacker might bait the victim into downloading a malicious attachment by promising a new piece of software or an update.
- Whaling: An evolution of phishing attacks that still involves stealing confidential information and login credentials. Unlike phishing campaigns, whaling exclusively targets high-value victims—business executives, government agencies, etc.
- Watering Hole: In most cases of social engineering, attackers look to capitalize on unsuspecting individuals. But in the case of watering hole techniques, attackers compromise public web pages by injecting malicious code into them. When a victim visits the infected web page, a backdoor Trojan is installed so attackers can gain access to the victim’s computer. This technique is most common amongst state-sponsored attackers and other espionage campaigns.
Famous Examples of Social Engineering
The rise in social engineering and email phishing attacks has led to a rise in high-profile incidents, with victims including:
The world’s largest asset manager fell victim to an attack by an environmental activist that fooled both The Financial Times and Consumer News and Business Channel (CNBC).
Hackers sent out an extremely convincing fake press release saying that the firm was pivoting to an environmentalist portfolio, causing a brief furor.
Users of cryptocurrency known as Ethereum received phishing attacks disguised as fake error messages. These took the form of an email that prompted users to install a patch.
Instead, the enclosed link would actually lead them to a compromised version of the wallet’s software that would let attackers harvest their digital earnings.
- Intelligence Agencies
Back in 2015, a teenage hacker was able to call Verizon, find personal information belonging to John Brennan – then-director of the CIA – and steal access to his AOL email address. This address happened to contain sensitive information, including details from the director’s application for a security clearance.
The hacker was even able to briefly speak with director Brennan on the phone. It took over two years before the attacker was found and arrested.
These incidents show how easy it is to wreak havoc using the simplest tools imaginable. Hackers can steal money, fool the media, and trick secrets out of the most powerful individuals on Earth using little more than a phone and an email address.
How to Recognize Social Engineering Attacks
Be very wary of any unsolicited advice or help, particularly if it requires action from you, such as clicking on a link or downloading a file. Any requests for passwords or personal information is very likely a social engineering attack.
Take caution if you receive a call from anyone claiming to be tech support or get an unscheduled ‘inspection’. Tech support are busy enough that they’re unlikely to look for new problems and inspection visits are likely attempts to install software like keyloggers on your computers.
Stay away from anything that creates a false sense of urgency as they use this to trick you so that you don’t use your better judgment, and be wary of any sob stories or other forms of psychological manipulation.
Always cross-reference and double-check. If you receive a suspicious email or phone call or anything asking you to disclose information or perform a task, first verify that it is legitimate before taking action.
How to Protect Against Social Engineering Attacks
There are two ways to defend against social engineering attacks.
1. First of all, there’s technology. A solution known as DMARC (Domain-based Message Authentication, Reporting & Conformance) is designed to detect and quarantine emails that are spoofed.
This means that the address the recipient sees isn’t the address that actually sent the email. Although this technology protects a brand’s consumers by ensuring that their emails can’t be used to do harm, adoption rates are very low – under 50 percent across all industries.
2. Secondly, there’s policy. In this case, we mean security awareness training. Security administrators train their workers by testing them against examples of faked emails. The goal is to make employees able to tell the difference between a fake and a genuine email.
Security awareness training is more than moderately effective – open rates of phishing emails decrease by 75% after security awareness training – but attackers still only need to fool one person to cause a breach.
How to Prevent Social Engineering
The best way to prevent social engineering is to try and avoid falling victim in the first place by being aware of possible scams and attacks and always double-checking.
If you have fallen victim to a social engineering attack, the best course of action is to install a top-quality antivirus on your computer to remove any threats that attackers may have left there, such as malware. These malicious files may be lurking in the background waiting to log your keystrokes and steal your personal information.
We also recommend changing all of your passwords – using a decent password manager such as 1Password is a great way to do this.
The reason social engineering is such a universal component of cyber attacks is that, when done successfully, it provides direct access to a core network or user account. All the perimeter defenses in the world won’t stop an attacker that can simply log into an admin account with the proper credentials.
That’s why, in addition to having the right tools for prevention, detection, and response, you need to focus on education and awareness to stop social engineering.
Being able to spot suspicious emails, URLs, and web pages effectively is the first line of defense against social engineering. That means being vigilant to warning signs of phishing scams and not blindly clicking on every link and attachment that reaches your inbox.
While a determined attacker has a very good chance of fooling employees with fake emails or spoofed phone calls, good administrators will still be able to detect account takeovers when they occur. And although it may be easy for attackers to steal user accounts, it’s still possible to limit the extent of the damage they can cause.
But human error is a fact of life and you still need an underlying layer of cybersecurity to stay safe. Check out our list of the top 10 antivirus programs in 2023 to see which solution will best support you against the dangers of social engineering.