What is Social Engineering & 4 Ways to Prevent Attacks

Social engineering attacks are one of the most prevalent types of cybersecurity attacks in a hacker’s arsenal today. Growing in popularity among nefarious people, social engineering attacks play off emotions and use manipulation, influence, or deception to access an organization’s system, environment, or network.

So, the question must be: How can businesses like yours protect themselves against social engineering attacks? Is there anything that you can do to stop social engineering attacks in their tracks?

This blog will explore these questions and show you 4 ways to prevent social engineering attacks. Read on to learn more.

In this blog, you will find: 

🤔 What is a social engineering attack? 

👁️ What does a social engineering attack look like?

🔍 How can I identify a social engineering attack?

🖐️ The 5 Types of social engineering attacks

🛡️ 4 Ways to prevent yourself against social engineering

🏢 How to protect your organization against social engineering attacks

What is a social engineering attack?

A social engineering attack is a method cyber criminals use to deceive individuals into providing sensitive information or granting access to restricted systems by exploiting their trust. Instead of hacking into a system directly, attackers manipulate people into willingly revealing information or taking actions that benefit the attacker.

Unfortunately, the reality is that social engineering attacks can come from any interactions that you undertake in your daily life – from the apps you use to the stores you frequent, to your loyalty cards or points cards, to the things you post on your social media account(s), and everything in between.  

Take, for instance, Canada Post's revelation that one of its suppliers, Commport Communications, was the victim of a malware attack. According to the CTV article, Commport Communications, a data solution supplier, is responsible for the “shipping manifest data of large parcel business customers.” The article says that while no financial information was stolen, most manifests that were impacted by this breach included names and addresses of businesses and customers, including “sender and receiver contact information that you would find on shipping labels.”

In other words, this breach potentially allowed the hackers to access pertinent information about the shipping and receiving habits of over 950,000 customers – information that, to a hacker, can be used to manufacture social engineering attacks. How, you ask? Let’s look at this example below.

Concerned about social engineering attacks?

Alarm Guardian offers advanced cybersecurity protection using Azure Sentinel's powerful SIEM platform. Our philosophy: detect early, and mitigate properly.

Do you feel the need for stronger defense? Let's talk.

What does a social engineering attack look like?

Ryan Jones is the CEO of TechCorp. Ryan’s company purchases office supplies from Big Red Paper Company, which is, for the purpose of this example, one of the 950k customers affected by the breach we mentioned above.

The hacker(s) involved with the breach has a history of shipping labels that were created with Big Red Paper Company as the shipper and TechCorp as the receiver. This includes, at minimum, the names of the people within TechCorp that these items were shipped to and the dates shipped.

From this information, the hacker can infer at least two things:

1. How often TechCorp bought something from Big Red Paper Company – the frequency of orders.
2. Who was the purchaser in the organization – who placed the order?

Using just this information alone, the hacker could do one of the following:

1. Contact the purchaser and let them know there was a problem with their most recent order, and they need to "verify" their credit card or banking information.
2. Send an attachment to the purchaser that contains malware designed to infiltrate the company’s network.
3. Snoop the purchaser’s social media accounts to determine likes, dislikes, hobbies, activities, or other notable points of interest, then use that information to phish the individual.
4. Pose as a delivery person of Big Red Paper Company and access the physical building to dumpster dive, impersonate a co-worker, leave corrupted flash drives for employees to find, or do other nefarious activities.
   
   

How can I identify a social engineering attack?

To identify a potential social engineering attack, consider the following:

1. Carefully review emails for spelling errors, unusual requests, or suspicious links that might indicate a fraudulent message.
   
   
2. Exercise caution when receiving phone calls requesting sensitive information like personal or financial details. Always verify the caller's identity before disclosing any information.
   
   
3. Familiarize yourself with your bank's and organization's policies regarding phone and email communication to recognize legitimate requests from fraudulent ones.
   
   
4. Gain an understanding of your company's organizational structure, which will help you authenticate the identity of individuals contacting you from within the organization.

The 5 Types of social engineering attacks

Social engineering attacks can take many forms, but the five most common are:

• Phishing attacks

Typically delivered in the form of an email, phishing attacks are designed to try and trick the recipient into opening an unsafe link or attachment, going to a false website to provide credentials, replying to an email, wiring money or purchasing gift cards, or take some other action that would compromise systems and/or lead to data loss.

• Baiting attacks

Baiting attacks come in two types: digital attacks and physical attacks. Digital attacks involve enticing the recipient with an offer (such as free music downloads) in exchange for personal data (such as login information). Physical attacks rely on leaving an item (such as a branded/logoed flash drive pre-loaded with malicious software) where an end-user can find it and use it.  

• Quid Pro Quo attacks

A quid pro quo attack would involve the hacker requesting login credentials in exchange for a service or a monetary prize. One good example of this is when a hacker poses as someone in their victim’s IT department, suggests that the victim has picked up a virus on their computer, and offers to help the victim get rid of it after the victim provides their username and password. Another example, probably far more familiar, is someone receiving a call and being told that they’ve won an all-expenses paid cruise, but they need to provide “some basic information.”

• Piggybacking attacks

This refers to an attack on an organization's physical premises or physical assets; for example, a hacker pretends they “forgot their ID badge” and asks someone to hold the door for them.

• Pretexting attacks

A pretexting attack is when a hacker impersonates a trusted figure in a victim’s life and uses the false sense of trust that this entails to attack the victim. One example of this could be when the hacker impersonates an employee’s boss and asks them to do something out of the ordinary. Trusting that it is, in fact, their boss, the employee does what’s requested (note: this happened to one of ProServeIT’s interns – read the story here).

Cybersecurity Video Series

Including best practices, tools to keep in mind, and tips and tricks on preventing potential cyberattacks, this free "Cybersecurity Solutions" video series for IT Security Executives and Managers is a clear way to gain cybersecurity awareness, combat ever-evolving threats, and ensure that security is the foundation of your organization. More Episodes

4 Ways to prevent yourself against social engineering:

As mentioned before, social engineering attacks prey on end-users emotions – that’s you. They’re designed to manipulate you into doing something that the hacker wants you to do. Because emotions are involved, you’re far more likely to react, sending logic and critical thinking out the window. Have you ever received an email from “your bank”, claiming that your account is frozen? How did it make you feel? Did you panic? What about receiving a call from the Canada Revenue Agency claiming that you were violating something and they had a warrant out for your arrest? Did your anxiety spike? Did you just want it all to “go away”?

In a social engineering attack, the hacker plays on your fears, anxieties, curiosities, and even your anger to manipulate you into doing what they want you to do.

According to a Kaspersky article outlining how phishers used COVID-19 to gain credentials, attentiveness, and knowledge are your two best defenses against a social engineering attack.

Here are some ways that you can protect yourself:

• Question everything that comes into your inbox

  Are there spelling errors in the body of the email? Is the email asking you to log into something? Is the email asking for something that’s out of the ordinary? Check the link – does it seem legitimate?
•  

• Screen your calls very carefully

•  Does someone want you to give them your credit card information? Is the person asking for a username and password? If they’re asking you for this kind of information, don’t give it to them! Ask them for their name and a number where you can call them back, then go and look up the number. They’ll most likely pressure you into acting – take a deep breath and repeat your request.
•  

• Check with your banking institutions about their phone policies

• Does your bank have something in place where they’ll never ask you for your username or password via the phone? If you know this beforehand, a hacker won’t be able to pull the wool over your eyes.
•  

• Get to know your organization's structure

• Can you verify that the person who’s calling works for your company? If your organization is much larger, ask them who they report to, then tell them you need to call them back and ask for a phone number.

How to protect your organization against social engineering attacks:

When it comes to organizational protection, cybersecurity often starts in your Inbox. Your organization’s inboxes are often a hacker’s entry point into your organization’s IT environment. As mentioned, social engineering attacks, like phishing scams, are often sent via email, and an unsuspecting click is all it takes to spell disaster.

ProServeIT's Alarm Guardian helps you to proactively take action against potential threats by using Azure Sentinel, a Cloud-native security information and event manager (SIEM) platform that works like an alarm system to detect "normal" activity from "suspicious" activity and alert you to potential threats within your networks. But it doesn't stop there. Built-in machine learning means that Sentinel can also proactively take action against potential threats. 

Discover the power of Alarm Guardian and elevate your organization's cybersecurity. Contact us to begin your journey towards a more secure future today!