Social engineering is a prevalent attack tactic that relies heavily on human deception, the first step in larger campaigns to gain unauthorized access to systems, networks, data or finances. Social engineering works by persuading individuals to disclose
information that provides the foundation to launch almost every type of cyberattack against an organization. This piece explains some common social engineering tactics and provides insight to help you build a comprehensive organizational program.
Social Engineering Attack Trends
Social engineering is one of the most common and successful forms of attack against organizations in all sectors. Social engineering attacks impact both public and private sectors across every vertical. According to the 2020 Verizon Data Breach Investigations
Report (DBIR), social engineering attacks were the top threat action leading to a breach. In addition, CSO Online
reports “phishing attacks account for more than 80 percent of reported security incidents” and “$17,700 is lost every minute due to phishing attacks.”
Stages of Social Engineering Attacks
Social engineering attacks have a common four stage process:
- Prepare — Collect victim information through social media, phone calls, email, text messages or physical sources.
- Infiltrate — Impersonate trusted contacts or authorities, and use information gathered to gain victim trust and acquire access to higher-value targets: IT administrators, helpdesks or executives.
- Exploit — Convince victims to disclose sensitive information such as account credentials, payment details and other information using a links, an attachment or a website.
- Disengage — Cease communications with the victim, launch intended malicious acts and vanish.
Social Engineering Attack Methods
- Phishing: This is by far the most common form of social engineering. It involves an email that looks legitimate but is intended to trick the recipient into providing sensitive information or clicking on a link that leads to malicious content. Phishing
comes in different forms. For example, a plain phish may be a blanket email sent to a large group of people, while a “spear-phish” targets a particular group,
such as the recruiting team or the finance team. A “whaling attack” is one that targets someone of importance or power, such as the CEO or head of finance. Other similar attacks include vishing (attacks via telephone or voice) and smishing (attacks via SMS or texting).
- Pretexting: With this form of social engineering, the attacker creates a fabricated scenario (or pretext) and asks for information – sometimes under the guise of urgency. The attacker may pose as someone in human resources or IT needing information
right away. The request can come in the form of email, texting, phone calls or even in person.
- Baiting: This can be a form of phishing, but it can also take physical form, such as a letter, a USB drive or a DVD/CD. A baiting attack promises something of interest (such as a gift card) or a USB drive labeled as something interesting like “Company
Salary Data.” The recipient is motivated out of curiosity or desire for a prize to take the bait.
- Quid pro quo: With this attack, the target is offered something in return for information. For example, victims may be asked to provide their email or Social Security number or even a password in exchange for a T-shirt, food or electronic good.
- Tailgating: This is when an unauthorized person “tailgates” or “piggy backs” into an area with an authorized person. Perhaps the attacker starts a conversation and casually walks through a badge-restricted door or enters an elevator
and exits onto a restricted floor with an authorized employee.
- Business email compromise (BEC): With BEC, the attacker impersonates or compromises an email account to manipulate the target into initiating an account change or transfer of money, or to give away sensitive information. The FBI’s Internet Crime
Complaint Center (IC3) reports that in 2020, BEC scams were the most expensive, with 19,369 complaints files and adjusted losses of approximately $1.8 billion (see Figure 1).
READ: How to Advance Your Phishing Program to Address Ransomware
Social Engineering Attack Prevention
Social engineering is prevalent, successful and costly, resulting in financial and operational losses, and it negatively impacts an organization’s employees and reputation. Employee security awareness is the first step to prevention followed by policy and technical controls.
To prevent and mitigate the impacts of social engineering, organizations should:
- Educate themselves on common social engineering tactics.
- Develop and implement a program that includes:
- Training people.
- Developing policies and procedures specific to all roles within the organization.
- Implementing technology capabilities specifically designed for identifying social engineering attempts.
- Go beyond prevention alone and ensure response and recovery steps are also in place.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.