Social engineering is a term used to describe a wide range of malicious activities carried out through human interaction. It uses psychological manipulation to induce users to commit security errors or give out sensitive information.
By understanding social engineering attacks, and recognizing that true protection against them requires both people AND technology, you can protect your organization from the consequences of these types of practices.
Here are some of the most common social engineering techniques:
Phishing is the most common social engineering tactic.
This is done by means of an e-mail, a website, an Internet ad or a video to incite its victims to act. The people behind the attack may pose as a bank, delivery service or government agency, or they may be more specific and appear to come from a department within the victim's company (human resources, IT, sales...). By the way, phishing e-mails, which often look innocent, include a call to action. The victim will be asked to click on a URL, which will then take them to a fraudulent website containing malware.
Although even the most unsuspecting users are aware of this practice, it continues to wreak havoc. All the more so as cybercriminals are making much greater efforts to ensure that they are well-designed and unsuspected.
Phishing variants include Spear Phishing, which targets a specific demographic, such as employees of a particular company or CFOs in a particular industry. There's also Whaling, which targets executives or high-level employees.
Baiting is another fairly common form of social engineering. It consists in luring the victim with a tempting offer (free music or games). The attacker hopes that the password used to log in and obtain the free digital gifts is a password used on larger sites. And if it's unique, the attacker will still be able to sell it on the dark web. In the corporate world, a baiting attack is most likely to consist of a USB key left in a common place. When someone finds it and plugs it into the company network to see who it belongs to, they download malware.
As its name suggests, "pretexting" is a form of social engineering in which the attacker presents a pretext to gain the victim's trust. The attacker may pose as an investor, HR representative or other "legitimate" source. This type of scenario generally plays on the victim's emotions, using a sense of urgency or the element of surprise.
To overcome social engineering threats, it is essential to focus on both the human and the hardware/software side.
Let's start with the human side, which is the point of attack for cyber criminals specializing in social engineering! With this in mind, security training remains the best way to avoid falling victim to an attack. As part of their security awareness programs, organizations should continue to remind their employees of the following common practices:
Let's move on to the technological side! It is imperative to :
And above all, keep up to date with all the latest developments in cybersecurity by becoming a regular reader of our blog ;-)!
Find out how your employees can be the weakest link in your cybersecurity chain, and how you can turn them into your strength.
The article looks at risk areas and how you can improve the safety of your operations.
