What is social engineering?
Social engineering is a cyber attack technique that targets humans rather than machines, leading many to refer to it as human hacking. The end goal of criminals using this method is to obtain private information, valuable data, or access to systems. Its online form may be leveraged to spread malware, expose sensitive data, or gain network access.
Rather than deploying a brute force approach, the attacker will usually persuade the victim into compromising themselves through a strategy of deceit or impersonation.
Types of social engineering
Phishing is the most prevalent form of social engineering, with the attacker impersonating a real person, system, or company, via phishing emails, websites, web ads, or chat. Baiting attacks entice users to reveal their login information, maybe by offering a free download in exchange. The download itself can include malicious software. A social engineering attack that follows the principles of tailgating is to ask to borrow an online device, such as a laptop, with the attacker then installing malicious software.
Pretexting is another form of social engineering to be aware of and builds trust ahead of phishing attacks by impersonating a co-worker or authoritative figure to add legitimacy to any request for data or login credentials.
Examples of social engineering
Social engineering attacks all have one thing in common; they focus on exploiting human emotion. Fear is a common example and might include informing the victim that they are under investigation for tax fraud or owe tax.
Other human emotions that are preyed upon include helpfulness, curiosity, and urgency. Common approaches include asking for information to ensure the individual gets paid on time, using stories that are in the news, and setting a short deadline to take action or respond.
Possibly the most successful social engineering attack we know of was carried out by Lithuanian Evaldas Rimasauskas against two of the world’s largest companies, Facebook and Google. He created a fake computer manufacturing company and set up fraudulent bank accounts in its name. Rimasauskas then sent phishing emails to specific employees, requesting payment for genuine goods and services, but directing them to deposit money into the fraudulent accounts. Between 2013 and 2015, he and his associates defrauded both companies of over $100 million.
Is social engineering illegal, and what is the penalty?
Yes, social engineering is illegal and is a form of fraud. There are severe legal penalties for people who are convicted, including fines and jail terms.
What is the most common method of social engineering?
Phishing attacks are the most common method of social engineering and can take place through social media, emails, SMS, or instant messaging. Messages may appear genuine and include copied content, images, logos, and styles from trusted sources.
Any of these messaging and communication forms can encourage individuals to click on malicious links. These links are often disguised by using a URL very similar to a a legitimate page, shortening the URL or by including embedded links that redirect to a cloned website or a domain with malicious code.
Why is social engineering dangerous?
Social engineering is dangerous because it exploits human error rather than relying on finding a fault or weakness in software, applications, or networks. Cybercriminals are prepared to spend time and resources researching potential victims, looking for opportunities in their behaviours or the policies of the company that employs them.
How to prevent social engineering attacks
The most effective way to defend against social engineering is through education. All employees can be potential targets for social engineering, so it is important that they are aware of their responsibilities in cybersecurity and can identify social engineering tactics. OmniCyber Security can assist you in determining the resilience of your employees against social engineering tactics by conducting a red team engagement. Our expert team will simulate a cyber attack against your organization and provide a report highlighting any vulnerabilities. To learn more, please get in touch with our team.