IT 101 – Social Engineering Attacks
Welcome to IT 101, where the experts at 2W Tech will tackle a hot topic in the IT industry and break it down for educational purposes.
Imagine discovering a data breach occurring in your network despite the rest of your day being business as usual. The lone irregularity came when the CEO of one of your clients sent an urgent email she asking you to send the company’s bank account number so she can pay off her invoice, but you were certain her account was caught up. Then other clients started complaining about fraudulent activity on their accounts…
Uh oh. Sounds like a social engineering attack.
Social engineering is a means of gathering information or an attack by relying on the weaknesses of individuals. These attacks can involve psychological approaches as well as physical procedures.
With psychological approaches, social engineering attacks rely on a hacker’s manipulation of human nature to persuade the victim to provide information or take actions. Along with the CEO example above, this could include intimidation, consensus/social proof, urgency, scarcity, familiarity/liking, or trust.
Another tactic used in the above example is impersonation. Social engineering impersonation means to masquerade as a real or fictitious character and then play out the role of that person on a victim. In our example, a hacker pretended to be the CEO of a major client. Other roles that could be impersonated include help desk support technician, repair person, a trusted third party or a fellow employee.
Phishing is another common form of social engineering. Phishing is sending an email or displaying a web announcement that falsely claims to be from a legitimate enterprise to trick the user into surrendering private information. The information sought includes passwords, credit card numbers, Social Security numbers and bank account numbers.
You and your IT departments also should be on the lookout for:
- Hoaxes – A hoax is a false warning often contained in an email claiming to come from the IT department asking users to erase specific files of change security configurations. However, changing the configurations allows an attacker to compromise the system.
- Watering hole attack – This is directed toward a smaller group of specific individuals, such as the major executives working for a manufacturing company. An attacker who wants to target this group of executives will try to find a common website that the frequent and infect it with malware that will make its way onto the group’s computer.
Along with psychological manipulation, other social engineering attacks rely on physical acts like Dumpster diving. This involves digging through trash to find any info that can be useful in an attack, such as calendars, USB flash drives, or system manuals.
Tailgating is another tactic used to gain access to an organization. As an employee enters a restricted area, an unauthorized individual can wait nearby and ask to be let in, succeeding by taking advantage of a person’s good nature.
The best cybersecurity solution in the world can’t completely protect your organization from a well-executed social engineering attack. Contact 2W Tech today to get started with your Cybersecurity Compliance Program and let our IT Consultants do the work for you.