What is social engineering?
Social engineering is the practice of psychological techniques that are used on people with the intention of eliciting sensitive information from them in order to gain access to secure systems. As many organisations are now security-aware, they implement a number of security features that make it difficult to gain unauthorised access to their data and systems.
Malicious attackers can bypass security controls by simply going to the people that know the answer and obtaining that information from them. This is infinitely quicker than using computing techniques and resources which make take days, weeks or months.
5 common social engineering techniques
Described below are some of the 5 most common social engineering techniques that attackers like to use.
1. PhishingThis the most common type of social engineering technique. Attackers have taken advantage of the Coronavirus crisis and phishing attempts have doubled. Emails are sent to people that are created to look like they come from an official source. Attackers will go to painstaking lengths of making the emails look virtually identical to the organisation they are attempting to emulate. The emails tend to contain hyperlinks to untrustworthy sites, attachments containing malware or requests for information such as login credentials, personal data or credit card information.
2. Social Media & Conferencing Tools
Being stuck indoors has led to an increase in online engagement. People that did not use social media previously have created accounts so that they can keep in contact with friends and relatives. Working at home is novel to some people so they can be excited to post information on social media. Some of the posts can contain work-related information. Attackers will search through social media and attempt to use any nuggets of information to their advantage.
The use of video and telephone conferencing has also grown during the crisis. People are having group calls and not keeping meeting details private or are holding open meetings that require no credentials to participate. Attackers can find and join these meetings to gather sensitive information.
One of the ways in which attackers use social media is to look for people posting pictures of themselves wearing their identifcation badges. They take these images and use them to replicate the identification badges to gain access to buildings or resources.
Attackers will contact people pretending that they are a colleague, customer or partner. They can also act like they are in a senior position in order to intimidate them. The attacker can initially divulge some information to the victim leading them to believe that they are genuine. They will use this to manipulate the victim and gain further information.
4. The Good Samaritan
This technique is similar to pretexting where attackers will use the good side of human nature and ask for help. They will act vulnerable, describe to victims that they are in a terrible situation and ask for assistance. They will use the scenario to ask for information or gain unauthorised access.
An interesting technique that can be used by attackers is wearing a “prosthetic pregnancy belly”. This will give the appearance that they are pregnant. It encourages people to be more leniant and want to provide assistance to the “pregnant” person.
This technique is less common when people are working from home but can still affect those living and working in shared locations. The attacker will follow a person through a secure door by simply asking them to hold the door for them or just following them straight in before the door closes. The attacker then gains unauthorised access to the location.
How can you avoid being socially engineered?
The best technique to avoid getting socially engineered is education and awareness training.Byteaching people the common techniques used by attackers it will help them recognise and defend against them.
Slowing downalways helps. Being too eager to provide assistance, click on hyperlinks or open attachments can lead to unfortunate consequences. By slowing down and thinking about the situation, it can help prevent a number of attacks. If there is any doubt, the person should always stop and verify details of the attack or attacker.
Maintaining lists of people that are expected to be carrying out certain tasks at specific times is useful. If anyone is not on the “list”, their identification should be verified.
Having an escalation processin place to support any social engineering attempts. This could be contact details or an internal site to notify and verify requests for information or access. This will assist the victim and they will not have to make decisions alone.
Having email filters in place either internally or implemented by a third party will filter out numerous phishing attempts. Rules can be enforced that block emails from untrusted sources and allow those from trusted sources.
Avoiding sensitive information being postedon social media sites, even if they are on private accounts. Think about what is contained in the information that is about to be posted and how it could be used maliciously. If there is a requirement for content to be posted, anything that could be used maliciously should be redacted. Ensure that video and telephone conferencing details are kept secure and that private meetings are initiated so only those with the details can participate.
Carrying out regular reviews of incidents. Whenever a social engineering incident occurs it should be recorded. Reviewing incidents can help prevent them in future by education or by tightening security controls.