Most complex cyber attacks begin by using social engineering to trick users into divulging sensitive information or downloading malware. This blog explains what to beware of.
What is social engineering?
Social engineering is one of the oldest cons in existence. In the context of modern information security, it entails cyber criminals masquerading as legitimate entities in order to fool unsuspecting users into compromising their security by giving away sensitive information, or transferring money to the wrong recipient. The vast majority of cyber attacks use social engineering as a first step towards infiltrating networks and exfiltrating data.
Social engineering techniques
There are numerous types of social engineering attacks, including:
-
Phishing
Phishing emails purport to be from legitimate senders, but usually have malicious attachments or link to sites that either use drive-by downloads to install malware onto victims’ machines or harvest their credentials.
-
Spear phishing
Spear phishing emails target specific individuals or organisations, and often rely on personal information that has either been compromised in other attacks or is publicly available in order to increase their credibility.
-
Vishing/voice phishing
This refers to social engineering carried out over the telephone. Callers try to gather information from victims by pretending to be from legitimate or trusted organisations, such as IT departments or the police.
-
Smishing/SMS phishing
Social engineering carried out via SMS or text messages.
-
CEO fraud/whaling
A type of targeted phishing attack directed at senior executives.
-
Business email compromise
These scam emails frequently purport to be from high-level employees and use social engineering tactics to fool users into wiring money to the wrong recipient or disclosing critical business information.
-
Pharming
Pharming attacks redirect a website’s traffic to another, malicious, site that impersonates it. They are most often carried out via DNS (Domain Name System) spoofing or cache poisoning attacks.
-
Tabnabbing/reverse tabnabbing
A type of attack that rewrites an unattended browser tab with a malicious site. Unsuspecting users who return to the tab may not notice that the page is not legitimate.
-
Pretexting
An essential part of complex attacks, in which the social engineer establishes a victim’s trust, having conducted research to create a backstory to make themselves more plausible.
How to mitigate social engineering attacks
The responsibility for information security lies with every member of staff, and security practices need to be embedded in the working practices of the whole business in order to be effective. Using regular staff awareness training to break users’ unconscious habits and increase their vigilance will reduce your organisation’s risk of attack.
Our Phishing Staff Awareness Course will help your staff identify and understand phishing scams, as well as explaining what could happen if they fall victim and how to mitigate the threat of an attack.
