Social engineering attacks are increasing in inboxes everywhere, and it’s vital that your employees know how to spot these manipulation attempts.
What about the other 97 percent?
They’re going after people; specifically, they are using social engineering tactics to trick end users into taking a desired action.
What is social engineering?
When hackers use social engineering tactics, they are using the art of manipulation to get people to divulge confidential information.
Most social engineering attacks focus on getting passwords or other credentials so threat actors can later access financial resources. Or, they gain access to a machine to install malware, to either gain control of your machine or just get your credentials in another way.
What do social engineering attacks look like?
A social engineering attack can take one of several forms, or they can be stacked on top of one another to build an elaborate scheme centered around exploiting an individual’s trust. Below, I’ve detailed five different ways cyber criminals utilize social engineering to manipulate end users.
Emails from someone you know
An email account gets hacked every 158 seconds, according to Review 42 and Inc., so it’s not that surprising that an email allegedly coming from someone you know is actually a cyber criminal.
When a hacker gains control of someone’s email account, they prey on the contact list.
These messages typically include a link, and since it’s coming from a trusted contact with the correct domain address and name, you’ll probably feel safe enough to click the link. You won’t want to do that, though, as it’s likely malicious. They may also do the same thing with an attachment purporting to be a spreadsheet or an invoice.
Emails from other trusted sources
Let’s take phony IT support emails, for example. They’ll pretend to be with your software’s support team. They may even name drop some other individuals’ names within your company to earn your trust. These criminals will devise an entire story to fool their victim into acting.
This is a tactic known as pretexting. In these situations, the email will be engineered to feel urgent and get you to act, explaining that you may need to verify or act quickly.
Phone calls from trusted sources
Like the emails mentioned above, some cyber criminals take it one step further and will call you to get you to act rashly. To continue with the IT support example, they will convince you to give them credentials, or worse, complete remote access to your machine.
Falling for these phony support calls is risky. If someone claims they are with IT support, you’ll want to verify that they are in fact who they say they are. Do not allow them access to your machine, and always be wary of someone asking for confidential information or credentials over the phone.
Social media messages & false accounts
Social networking platforms are rife with phishing attempts. From fake friends to false accounts for businesses and more, scams run rampant, including tactics like:
Abuse of Shortened Links
This is especially common on Twitter due to the character limit in posts. Many accounts use short URLs to maximize their use of the character limit, but threat actors take advantage of it to infuse malicious links into their content.
Creating fake profiles and accounts to trick individuals isn’t a new practice. Once a threat actor does so, it becomes incredibly simple to damage that person’s reputation or brand—and even trick users into taking action.
Phishing and Credential Theft
Some social media phishing attacks get users to navigate to fake sites and convince them to enter user data. From there, a criminal has complete access to their account and can continue to manipulate others in that individual’s following.
Physical attacks like tailgating or baiting
When it comes to physical attacks, a criminal will often use tailgating or baiting tactics.
Many modern offices use security badges to ensure that only authorized personnel have access. The tailgating method involves waiting for an authorized individual to open and pass through a secured entry. Then they follow right behind to enter, “tailgating” that individual to get access to a building or other secured area.
Baiting involves leaving something behind for someone to find. It could be a USB drive or external hard drive labeled “2020 Tax Records” or something similar, but it’s actually a malware script, and once inserted into your device, will download a malicious file to that computer.
Once downloaded, a hacker then has access to the victim’s infected computer and therefore your network.
To see even more ways social engineers manipulate and trick end users, check out this infographic from KnowBe4.
How can your employees help protect your business from social engineering attacks?
Since human error accounts for over 90 percent of cyber attacks, it’s crucial your employees are aware of the threats circulating online and off. Requiring cyber security awareness training is a key component of keeping your business safe, but always follow these tips when determining if there’s a social engineer on the other end of that message or phone call.
- Slow down. Don’t act immediately. Most social engineering attempts are designed to get you to take hasty action without further consideration. If an email feels sketchy or elicits an emotional response, take a moment to ask yourself why.
- Carefully review the email. Were you expecting this message? If not, think about why you might be receiving it.
- Don’t click links in emails. Navigate to websites or pages directly, especially if an email is telling you to take urgent action or your account will be frozen/locked. If you do plan to click a link, be extremely wary and hover over every link in the email.
- Use a dual-verification method. This is especially important when dealing with financial information or wire transfers. If your supervisor emails you to make a wire transfer, make sure you verify with them using a second means of communication—do not reply to the email in case it is fraudulent.
- Beware ALL attachments. Doubly so if you’re not expecting it.
- Be vigilant when working remotely. You’re on guard for social engineering ploys in the office, but you need to be even more careful when working remotely or from home.
Do you have concerns about IT security for your business? First, download our IT security scorecard to identify your possible gaps and vulnerabilities.
Then when you’re ready, reach out to us to schedule a complete IT security assessment.