Social engineering is a tactic that’s been around since before those snake oil salesmen in the old west traveled from town to town with their wagons selling scam cures.
While the scams being used these days tend to be more sophisticated and varied, the basics of social engineering remain the same. This term describes deceitful and manipulative tactics used to get a person to do something you want them to do.
In today’s digital world, that can mean things like:
- Hand over login credentials that they believe they’re inputting into a legitimate form
- Click a link to a phishing site that downloads malware
- Send sensitive company or personal information to a scammer they think is someone else
- Purchase bogus products or send money to a fake charity
- Open an innocent-looking file attachment that contains malware
Companies can and should put cybersecurity systems in place to help combat phishing and other social engineering attacks. However, user training is particularly important because of the very human element involved in social engineering.
In these types of attacks, the attacker isn’t trying to trick a system or computer into doing something, it’s trying to trick a human being… one of your employees. And they will use very sophisticated ways to do this.
Spotting Social Engineering Tricks
How can employees stay on their toes and be aware? It’s important that your team knows how to spot social engineering when they run across it online or coming into their phone or PC through email or SMS.
Here are some of the top tricks that attackers use.
Baiting will offer something to the user that attracts them to a particular file or link. A good example of baiting is when a phishing email purports to be from someone your company has never done business with and includes the promise of a “large purchase order” attached.
Many people would immediately want to open that file to see how big the order was. They’d be reeled in by the bait that the attacker used to get them to open a malicious file.
Scammers will often impersonate a company or person by using the company or individual’s email address in the “from” line of a message. This is pretexting. It’s when the attacker creates a false sense of trust in a message (DM, SMS, Email, or Phone call).
For example, an attacker could have looked up employees in your organization on LinkedIn and then texted you stating that this is (name of co-worker) and they just got a new phone and need the password to get into a company system. An unsuspecting employee might not question this and send the password over to the scammer.
Phishing is how many attackers will approach users to deploy social engineering attacks. Although phishing is more a delivery method for these other tactics, we wanted to include it because it’s the main delivery method and it’s important for users to understand that phishing can come in many different ways.
The most traditional way that phishing is deployed is through email. Another way is through SMS (text message). This method is becoming increasingly popular, and many users aren’t aware yet to be on the lookout for phishing via text.
Social media phishing is another type of phishing. Scammers will purchase ads on services like Facebook or Instagram. They can also get bolder and reach out to you via a direct message (DM), getting you to trust them before they spring their trap.
Quid Pro Quo
Quid pro quo is a similar tactic to baiting, but it will generally be something considered an equal trade-off. For example, you might see a free mobile app on a website for filtering images and when you download it, it will ask you for certain device access – such as access to your contacts. It may also require you to input some personal data to download the app.
You might feel the trade-off is worth it for the free app and comply. But that app could easily be a trojan that is hiding spyware or banking malware inside. It’s important to always stick to legitimate apps stores and research apps thoroughly before downloading.
Tailgating is a tactic that is in-person rather than online. It’s when an unauthorized person gains entry to a building or restricted area or device by pretending to have forgotten their access card or for another reason.
One common example of tailgating is when a criminal pretends to be making a delivery of some type. They may follow an employee into a building explaining that they need to deliver something important.
An employee going about their day may think nothing of it. But that criminal could then access sensitive systems or potentially place a listening device or hacking device of some type somewhere in the building that enables them to access digital systems remotely.
Work with C Solutions to Ensure Your Employees Are Well Trained On Social Engineering
C Solutions can provide engaging security awareness training for the team at your Orlando area business to improve their phishing and social engineering detection skills and reduce your risk of a breach.
Schedule a free consultation today! Call 407-536-8381 or reach us online.