Hector SmithAccording to a 2021 Zogby Analytics survey for the U.S. National Cybersecurity Alliance, nearly half of companies with 251-500 employees have been targeted by cybercriminals. Humans remain the most vulnerable link: they have access to information and can be influenced by social engineering methods.
So, what is social engineering? It is a series of methods used by scammers to “hack” people to illegally obtain valuable information from them or the means to access it. A 2018 Verizon report made it clear that nearly one in five data breaches are due to the use of such methods by criminals. Even the social engineering definition says that it is one of the main threats to information security. The easiest and most effective way to protect data is to use red team pentesting. It is also important to be aware of the basic tools of social engineering to be prepared for cyber-attacks.
What Is a Common Technique Used in Social Engineering?
Most often, scammers use several methods at once to force the victim to reveal secret information. The most commonly used of these methods are detailed below.
Phishing
This technique is used by criminals to obtain a username and password for authorization in a computer system. It works in the following way:
1. The employee receives an e-mail, which, for example, reports a security breach.
2. In such a letter, the attacker asks to follow the link or click on the button to change the password.
3. After clicking on the link, the user is asked to first enter the old data from the account. If you fill out this form, the fraudster will gain access to the employee’s account and all information on it.
Sometimes, criminals even create an almost complete copy of the site so as not to arouse the suspicions of the victim. Or it could just be malicious websites or attachments that contain malware.
Spear phishing
Using this technique, the attacker collects as much information as possible about a specific victim in advance so as not to arouse suspicion during social engineering phishing. Suppose a business is the target of a fraudster. In that case, they may pose as a cybersecurity expert and report a serious vulnerability in the system that can be fixed by installing a dangerous application or clicking on a malicious link.
Pretexting
When using this method of social engineering, the scammer contacts an employee of the company, pretending to be a different person and asking for the necessary data. For example, it may be a letter from a colleague who urgently needed a username and password from the system. Another classic example of pretexting is a bank employee who asks to answer a few questions, ostensibly to verify the client’s identity. In this way, phone numbers, addresses, bank records, or passwords from the company’s security system can be stolen.
Baiting
The method is to lure the victim into a trap, as a result of which the fraudster will gain access to personal data. Every Internet user has come across examples of such methods of social engineering. Remember the advertisement: “You won a million dollars. To receive your winnings, follow the link …”? With the help of such deception, the victim can download malware or go to a dangerous site. Cases of Baiting also occur outside of the Internet. Some people pick up “lost” flash drives on the street or indoors and use them on their computers out of curiosity. As a result, the external drive automatically installs a program with viruses, and you can say goodbye to your data.
Scareware
This method is usually encountered on the Internet. Scareware is intrusive notifications, such as “the user’s device is infected with malware,” and an urgent need to install a data protection application. In fact, it is such an application that will carry a virus or another threat. Similar notifications can also be sent to employees’ corporate emails.
How to Protect Yourself from a Social Engineering Attack?
Such cyberattacks are often successful because scammers take advantage of the victim’s feelings (fear, curiosity, lust for easy money, etc.). For this reason, it is very difficult to defend against such a technique since victims do not realize that they are being deceived. However, there are still a few tricks that will help outplay the criminal.
1. Don’t open emails and other notifications unless you’re sure the source is reliable. Most social engineers use e-mail for their tricks. Treat every letter with a grain of salt. Even if your job involves communicating with customers, use alternative methods of communication (such as a telephone conversation) to confirm the interlocutor’s intentions and not fall into a trap. Similar actions apply if someone offers to use their services. The worst thing you can do in this situation is to click on the first available link in the email.
2. Multi-factor authentication is a great way to protect sensitive data from unauthorized logins. Additional confirmation is often performed using a notification that comes to the user’s phone.
3. Don’t trust the Internet! Be suspicious of any tempting offers. Fraudsters are very fond of luring gullible users into their traps because, unfortunately, this works quite often. If you are the head of a company, create a manual for your employees that describes what to do if you receive suspicious messages from unknown sources. Identify information that is most likely to be the target of a cyberattack and ask employees to be especially vigilant when working with such data.
Social engineering tools are constantly improving, and scammers are coming up with new ways to deceive. Regularly check the latest version of the antivirus software on your device to avoid becoming a victim of an attack using the latest malicious tools. It also does not hurt to scan the system for suspicious files from time to time. Special attention to cybersecurity should be given to business leaders because it is precisely such objects that often become the target of experienced intruders.
