Social engineering attacks are one of the most prevalent types of cybersecurity attack in a hacker’s arsenal today. Growing in popularity among nefarious people, social engineering attacks play off emotions and use manipulation, influence, or deception to gain access to an organization’s system, environment, or network.
So, the question must be asked – how can businesses, like yours, protect yourself against social engineering attacks? Is there anything that you can do to stop social engineering attacks in their tracks?
In this blog, we’re going to explore these questions and show you 4 ways to prevent a social engineering attack. Read on to learn more.
What is a social engineering attack?
Unfortunately, the reality is that social engineering attacks can come from any interactions that you undertake in your daily life – from the apps you use, to the stores you frequent, to your loyalty cards or points cards, to the things you post on your social media account(s), and everything in between.
Take, for instance, yesterday’s Canada Post revelation that one of its suppliers, Commport Communications, was the victim of a malware attack. According to the CTV article, Commport Communications, a data solution supplier, is responsible for the “shipping manifest data of large parcel business customers”. The article says that, while no financial information was stolen, most manifests that were impacted by this breach included names and addresses of businesses and customers, including “sender and receiver contact information that you would find on shipping labels.”
In other words, this breach potentially allowed the hackers to gain access to pertinent information about the shipping and receiving habits of over 950,000 customers – information that, to a hacker, can be used to manufacture social engineering attacks. How, you ask? Let’s look at this example below.
What does a social engineering attack look like?
Ryan Jones is the CEO of TechCorp. Ryan’s company purchases office supplies from Big Red Paper Company, who is, for the purpose of this example, one of the 950k customers affected by the breach we mentioned above.
The hacker(s) involved with the breach has a history of the shipping labels that were created with Big Red Paper Company as the shipper and TechCorp as the receiver. This includes, at minimum, the names of the people within TechCorp that these items were shipped to, and the dates shipped.
From this information, the hacker can infer at least two things:
- How often TechCorp bought something from Big Red Paper Company – the frequency of orders.
- Who was the purchaser in the organization – who placed the order.
Using just this information alone, the hacker could do one of the following:
- Contact the purchaser and let them know there was a problem with their most recent order, and they need to verify credit card or banking information.
- Send an attachment to the purchaser that contains malware designed to infiltrate the company’s network.
- Snoop the purchaser’s social media accounts to determine likes, dislikes, hobbies, activities, or other notable points of interest, then use that information to phish the individual.
- Pose as a delivery person of Big Red Paper Company and access the physical building to dumpster dive, impersonate a co-worker, leave corrupted flash drives for employees to find, or other nefarious activities.
- Or something else.
How can I identify a social engineering attack? The 5 Types of social engineering attacks.
Social engineering attacks can take many forms, but the five most common are:
✉️ Phishing attacks
Typically delivered in the form of an email, phishing attacks are designed to try and trick the recipient into opening an unsafe link or attachment, go to a false website to provide credentials, reply to an email, wire money or purchase gift cards, or take some other action that would compromise systems and/or lead to data loss.
🖥️ Baiting attacks
Baiting attacks come in two types: digital attacks, and physical attacks. Digital attacks rely on enticing the recipient with an offer (such as free music downloads), in exchange for personal data (such as login information). Physical attacks rely on leaving an item (such as a branded/logoed flash drive pre-loaded with malicious software) where an end-user can find it and use it.
🐞 Quid Pro Quo attacks
A quid pro quo attack would consist of the hacker requesting login credentials in exchange for a service or a monetary prize. One good example of this is when a hacker poses as someone in their victim’s IT department, suggests that the victim has picked up a virus on their computer, and offers to help the victim get rid of it after the victim provides their username and password. Another example, probably far more familiar, is someone receiving a call and being told that they’ve won an all-expenses paid cruse, but they need to provide “some basic information”.
🏢 Piggybacking attacks
This refers to an attack on the physical premises or physical assets of an organization, for example, a hacker pretends they “forgot their ID badge” and asks someone to hold the door for them.
🧍 Pretexting attacks
A pretexting attack is when a hacker impersonates a trusted figure in a victim’s life and uses the false sense of trust that this entails to attack the victim. One example of this could be when the hacker impersonates an employee’s boss and asks them to do something out of the ordinary. Trusting that it is, in fact their boss, the employee does what’s requested (note: this happened to one of ProServeIT’s interns – read the story here).
Cybersecurity Video Series
Including best practices, tools to keep in mind, and tips and tricks on preventing potential cyberattacks, this free "Cybersecurity Solutions" video series for IT Security Executives and Managers is a clear way to gain cybersecurity awareness, combat ever-evolving cyberthreats, and ensure that security is the foundation of your organization. More episodes
4 Ways to prevent yourself against social engineering:
As mentioned before, social engineering attacks prey on the emotions of end-users – that’s you. They’re designed to manipulate you into doing something that the hacker wants you to do. Because emotions are involved, you’re far more likely to react, sending logic and critical thinking out the window. Have you ever received an email from “your bank”, claiming that your account is frozen? How did it make you feel? Did you panic? What about receiving a call from the Canada Revenue Agency claiming that you were in violation of something, and they had a warrant out for your arrest? Did your anxiety spike? Did you just want it all to “go away”?
In a social engineering attack, the hacker plays on your fears, your anxieties, your curiosities, and even your anger to manipulate you into doing what they want you to do.
According to a recent Kaspersky article outlining how phishers were using COVID-19 to gain credentials, attentiveness and knowledge are your two best defenses against a social engineering attack.
Here are some ways that you can protect yourself:
- Question everything that comes into your inbox. Are there spelling errors in the body of the email? Is the email asking you to log into something? Is the email asking for something that’s out of the ordinary? Check the link – does it seem legitimate?
- Screen your calls very carefully. Does someone want you to give them your credit card information? Is the person asking for a username and password? If they’re asking you for this kind of information, don’t give it to them! Ask them for their name and a number where you can call them back, then go and look up the number. They’ll most likely pressure you into acting – take a deep breath and repeat your request.
- Check with your banking institutions on their phone policies. Does your bank have something in place where they’ll never ask you for your username or password via the phone? If you know this ahead of time, a hacker won’t be able to pull the wool over your eyes.
- Get to know your org structure. Can you verify that the person who’s calling works for your company? If your organization is much larger, ask them who they report to, then tell them you need to call them back and ask for a phone number.
How to protect your organization against social engineering attacks:
When it comes to organizational protection, cybersecurity often starts in your Inbox. Your organization’s inboxes are often a hacker’s entry point into your organization’s IT environment. As mentioned, social engineering attacks, like phishing scams, are often sent via email, and an unsuspecting click is all it takes to spell disaster.
ProServeIT’s Mailbox Guardian reduces your chance of being a victim of cybercrime by helping you to harden and lock down access to your corporate data, improve password hygiene, better understand how hackers may be targeting you, and ensure that you have the right tools in place to better protect your organization against modern-day threats, including social engineering attacks.
ProServeIT's Alarm Guardian helps you to proactively take action against potential threats by using Azure Sentinel, a Cloud-native security information and event manager (SIEM) platform that works like an alarm system to detect "normal" activity from "suspicious" activity, and alert you to potential threats within your networks. But it doesn't stop there. Built-in machine learning means that Sentinel can also proactively take action against potential threats, too.