Social Engineering: Attacking the Weakest Link

 
 

What is Social Engineering and Why It’s So Effective?

Social engineering is an art of deceiving people to divulge sought-after information in order to commit fraud, identity theft, access secured network, determine trade secrets, sales and marketing plans, customer and supplier information, financial data, or simply to disrupt business operations.

What makes social engineering so effective compared to any hacking methods is that it relies on a human error, rather than finding and exploiting vulnerabilities into the computer systems using technical hacking. This form of hacking typically happens through email, text messages, online chat and phone calls.

With advancements in technology and modern security systems in place, hackers can’t break into systems easily, that’s why they will target the weakest link in the security chain – the user. It will be much easier for them to trick someone to extort confidential information such as passwords, bank information, credit card number, and access to secure building using psychological manipulation tactics.

World’s most notorious hacker Kevin Mitnick helped popularised the term ‘social engineering’ in the 90’s and he even wrote a book called “The Art of Deception” that contains real stories and explanations why each attack was so successful and how it could have been prevented.

Types of Social Engineering Attacks

There are different social engineering techniques used by hackers to manipulate their target such as the following:

There are many social engineering tactics depending on the medium used to implement it. The medium can be email, web, phone, USB drives, or some other thing. So, let’s tell you about different types of social engineering attacks:

There are generally two major types of social engineering attacks: remote and onsite/in-person.

 

Remote Attacks (Phishing)

Phishing is one of the most popular social engineering tactics used by attackers to get sensitive information from their target. It is usually done via email, text messages and even phone calls.

Email attacks

Attackers will send a well-crafted email with a deceptive subject line to trick the recipient that the email has come from a trusted source. The email also contains seemingly legitimate documents, logos, contact details and a link to a cloned website to fool the victim.  The objective of this attack is to create a sense of urgency, requiring immediate action from the user such as a request for a password change or update their personal information using the link sent by the attacker. Upon completion, the details will be sent to the attacker.

Phone Call Attacks (Vishing)

A social engineer who attacks over the phone often called as “vishing” for voice phishing, usually pretends to be someone, e.g., account holder, business partner, staff or a trusted provider of your organisation. They usually undergo a series of preparation to gather necessary background information before making the call to avoid being suspicious.

Spear Phishing

This social engineering attack has the highest success rate as users are selectively targeted. Perpetrator will send personalised spear phishing emails or will make a phone call on target users based on job title, technical skills, etc. The attacker will pretend to be a colleague within the organisation or an IT consultant and deceives the target to steal personal information.  Spear phishing attacks require months of preparations making them harder to detect and have better success rates compared to the usual phishing scams.

Scareware

Scareware manipulate users through fear and deceives them with annoying false alarm notifications to think their system is infected by a malware, and then it will suggest to buy and download a fake antivirus software to get rid of it. The truth is, the antivirus was actually a potentially dangerous software that once installed can steal your personal information. This social engineering attack can be usually found while browsing the internet, while some are distributed via emails. Rogue security software and crypto miner lock are two of the most popular scareware tactics used by cyber criminals.

In-person/Onsite Attacks

In-person social engineering techniques are less common than remote attacks, yet they’re very effective because businesses usually focus on IT security and completely ignored physical threats.

Shoulder Surfing

Shoulder surfing is a physical social engineering attack that uses direct observation technique to steal information.  The attacker simply stand next to someone and watch closely as they type their login credentials or PIN number at an ATM.

Tailgating

Tailgating is another on site social engineering technique used by attackers seeking entry to restricted areas where biometrics, RFID card, or any electronic access control is present. The attacker waits for the perfect opportunity to walk in behind an authorised person or simply determine when the next schedule of air-con cleaning is due and dressed like one of them to get past the front desk successfully.

Key Loggers

Hardware and network devices often need technical services and hackers often take these chances. They will impersonate a third-party on site tech support and install key logger on shared computer systems to obtain usernames and passwords. This will enable them to have access right and control the workstations remotely.

Baiting

Baiting is the equivalent of a Trojan horse in social engineering. The attacker will leave a malware infected flash drive in a public place, hoping someone to pick it up and plug into their computers.  Distributed USBs are usually labeled as “Confidential” or “Salary info” to entice the victim on using it, giving access rights to the hacker when opened. Online baiting is also used by hackers, where they entice users to receive free goods online in exchange of their personal information.

 

How to Prevent Social Engineering Attacks

  • Educate everyone in your organisation about social engineering techniques by providing adequate trainings and seminars.
  • Review company policies and existing processes on handling transactions and important business activities to ensure standard operating procedures are followed.
  • Set your email spam filters to high and periodically monitor spam folder to see if important emails are caught accidentally.
  • Verify sender’s email address by going directly to their site and be suspicious of any unsolicited emails.
  • Increase security of your devices by installing important system updates and keeping your antivirus updated.
  • Enable Multi-factor authentication (MFA), Two-factor authentication (2FA) or two-step verification on your online accounts for additional layer of security.
  • Always check if you’re accessing the correct website URL. Online banking websites are using extended validation SSL that proves the legal entity of the website.
  • Email or text messages with instructions how to claim your prize or money from unknown relative are guaranteed to be a scam.
  • Download files only from trusted websites and always scan the files using your updated antivirus. File attachments from unsolicited emails are potentially dangerous.
  • Be wary of tempting offers that you will encounter online such as free online giveaways.
  • Be aware of your surroundings for possible onsite attacks.

Anyone can be targeted by these social engineering attacks. The size or industry of your business doesn’t matter, as there’s always a risk involve when your information is available in the internet. Save yourself a headache by educating everyone in your organisation on how these attacks are perform and how to prevent it from happening. Need a security audit for your business? Contact us today!

Got Any Questions?

We listen and learn to understand your business challenges, so we can deliver effective solutions that meet your specific business needs. Speak with an expert now!

Request Quote

Why Cybersecurity Should be a Business Priority by Essential Tech Brisbane

  Why Cybersecurity Should be a Business Priority     At its core, cybersecurity is about risk.  How much risk is a... Read more

Best Practices for Efficient, Cost-Effective, and Productive Enterprises

  IT Services Best Practices for Efficient, Cost-Effective, and Productive Enterprises The emergence of new technology such as AI, big... Read more

WannaCry Ransomware by Essential Tech Brisbane

  WannaCry Ransomware Stop Wanna ransomware before it stops you with Sophos Intercept X. This next-generation endpoint solution is proven... Read more

Simple Ways You Can Keep Your Business Information Safe

  Simple Ways You Can Keep Your Business Information Safe From Loss Or Theft     As unfortunate as it is, it seems... Read more

Cloud or On-Premise PBX: Which Is Right For You? by Essential Tech Brisbane

  Cloud or On-Premise PBX: Which Is Right For You?     When you upgrade your office phone system to a modern VoIP... Read more

Top IT Jargon that every CIO should know by Essential Tech Brisbane

  Top IT Jargon that every CIO should know The IT world is full of jargon and techy sounding words. Misunderstandings can make... Read more

5 Ways Microsoft 365 E5 Can Help You Secure Your Business

  5 Ways Microsoft 365 E5 Can Help You Secure Your Business     You know about the importance of staying connected, especially... Read more

Choosing Between an MSP vs. Internal IT Department

 Choosing Between an MSP vs. Internal IT Department If you own a business, there’s a pretty good chance that you use some form of technology. And, as... Read more

How to Get the Most out of your Managed IT Services Provider

How to Get the Most out of your Managed IT Services Provider What are Managed IT Services? A Managed Service Provider (MSP) takes care of... Read more

Business Website: Don’t Set It and Forget It by Essential Tech Brisbane

Business Website: Don’t Set It and Forget It The Importance of Maintaining Your Website  Just having a website up and running is not... Read more

Downtime Lurks Where You Least Expect It by Essential Tech Brisbane

  Downtime Lurks Where You Least Expect It   Downtime is your enemy. No matter your size, when technology is down, productivity comes... Read more

The Nine Steps of Every Successful Cloud Journey by Essential Tech Brisbane

  The Nine Steps of Every Successful Cloud Journey As business grows, your IT infrastructure must evolve to handle your increased... Read more

A CIO’s Guide to IT Security by Essential Tech Brisbane

  A CIO’s Guide to IT Security IT security is a growing concern for many small businesses, even those who may not consider themselves a... Read more

Why You Should Care About Data Breaches by Essential Tech Brisbane

  Why You Should Care About Data Breaches Since the Notifiable Data Breaches scheme was introduced on February 22 nd, data security has... Read more

What are the benefits of IT as a Service (ITaaS)?

What are the benefits of IT as a Service (ITaaS)? If you want customer-focused and scalable solutions that adapt quickly to market demand,... Read more

Top 10 IT Support Companies in Brisbane

Best IT Support Companies in Brisbane As IT and internet-enabled tech continue to grow, there is a need for businesses of all sizes to evolve or be left behind. For... Read more

8 Essential cyber security overhauls and how they affect Aussie businesses

Essential Eight cyber security overhaul and how it affects Australian businesses Developed by The Australian Cyber Security Centre (ACSC) in 2017 to address cyber... Read more

Break/Fix vs Managed Services

Break/Fix vs Managed Services - what's best for you? Technology has quickly become central to every part of our lives – particularly when it comes to business.... Read more

What’s New At Essential Tech - An Update From Michael

What’s New At Essential Tech An Update From Michael Winter has officially come and gone, and we are well on our way towards Summer. It’s not just the seasons that are... Read more

Improving your security online with Application Whitelisting

Improving your security online with Application Whitelisting In a world where digital technology reigns supreme, protecting sensitive data across a wide range of... Read more