Social engineering is a cyber attack technique that uses the art of manipulation to gain access to data directly through human interaction.
The approach takes advantage of a person’s natural tendencies and emotional reactions. Unlike your traditional ‘cloak and dagger’ approach to hacking, a social engineer will boldly pose as tech support. They’ll ask outright for login credentials, playing on the human desire to help others.
It is estimated that over 70% of data breaches begin with some form of social engineering attack.
Hackers recognise employees are the first line of defence for a business and use many social engineering techniques to attack that defence.
What are the 5 types of social engineering attacks?
We mentioned earlier the ‘many techniques’ of social engineering; in fact, there are 5 popular approaches. Here’s what to look out for:
#1 Phishing
We’re sure you’ve heard this term. It’s a well-publicised technique but despite its notoriety, it’s still often successful.
A phishing email will look legit – usually from a bank or online payment system. There is always a request for you to click a link or open an attachment. You’d spot it a mile off, right?
But don’t forget, these cyber criminals are using the art of manipulation. The content of the email is likely to be designed to strike panic. For example, it could say your account has been locked, or there’s a report of suspicious activity on your account. It will then direct you to log in to rectify the situation… it’s easy to fall for.
What to look out for:
The key to spotting a phishing attempt is to take your time. Check the layout, the company logo, and the content carefully for spelling mistakes.
Then dig deeper. Check the sender’s name and the email address behind it – it’s here you’re likely to find the obscurity.
If you feel unsure, give the company/organisation a call and run it past them, making sure to search for their contact details online and don’t take them from the email itself.
But most important of all, never click the link you’re being directed to unless you know it’s legitimate.
#2 Baiting
This technique is exactly as it sounds and relies on a victim taking the bait. As a result, their device becomes infected with malicious software that could even spread to their contacts.
What to look out for:
Something being offered for free, you’ve won a competition (you didn’t enter), or link with an intriguing call to action (‘This is just too weird – take a look!’). Anything like this triggers an emotional reaction and can cause victims to click on impulse. Stop, think… could it be fake?
#3 Contact Spamming
If a hacker gains access to a victim’s email account, it’s just the beginning. They now have access to all their contacts and if like many people, they use the same password for their social media accounts, they also gain access to all their contacts here too; giving them the freedom to send some unexpected messages.
What to look out for:
You might receive an email or an instant message, seemingly from someone you know, telling you to click a link – ‘Check this out – it’s cool’ – it’s not cool. It’s malware.
If the message seems out of character, it’s probably not from your contact at all, and there’s a good chance their account has been compromised. Give them a call and run it past them – if it’s not from them, they need to change their passwords as soon as possible.
#4 Spear Phishing
This approach is much like phishing with a smattering of contact spamming, except it’s targeted and personal. Employees in financial roles or HR roles are popular targets for this but ultimately, anyone can be at risk.
What to look out for:
Your company director has unknowingly had their email account compromised, giving a social engineer access to all their contacts throughout the business.
You then receive an email from the director requesting bank log-in details, or bank account details for all members of staff – the email addresses you by name, the sender is the company director and you have that human desire to help – why wouldn’t you divulge this information?
Consider how you communicate within your business and be sure to implement processes whereby requests for confidential information are always discussed in person. This way, when an email like this makes it’s way into your business, everyone knows to treat it as suspicious.
#5 Vishing
Phishing with even less shame (if that’s possible). The social engineer picks up the phone and calls their victims. Being put on the spot gives you less time to consider the situation carefully and out of politeness, you’re more likely to hand over valuable information freely.
What to look out for:
You might get a call from a supposed co-worker – new or from another site – asking for help. They need login details or confidential company information. If you feel uncomfortable, try sneaking in some questions that might help you identify if the call is legitimate.
While most cyber attacks are a one-off occurrence, it’s worth considering that some social engineers go in for the long haul and the vishing technique is the perfect approach for them. Known as farming, some cyber criminals build a relationship with a staff member and string them along for as long as possible, getting as much information as they can along the way.
You might say, Jupiter IT are on a mission
With cyber crime on the rise, we’re committed to raising awareness and helping other businesses polish their cyber security to the point of perfection.
Offering cyber security in Hull and the surrounding areas, we provide free, content-rich, cyber security training for all our clients and their staff.
At Jupiter IT, we are proud to hold the prestigious Cyber Essential Plus Certification and as experts in this standard, we can help you become certified too.
To find out more, drop us a line – we’re waiting to share our expertise with you.
