Social Engineering is likely the most effective method that attackers use. These kinds of attacks use various techniques to trick human users into taking action. The actions attackers are trying to achieve varies from tricking users into downloading malware to giving up usernames and passwords, and everything in between.
In short, Social Engineering is creative lying, and it’s a highly effective means of compromise. In fact, it’s so effective that professional penetration testers are usually prohibited from using these techniques because they are known to be so easily exploited.
Types of Social Engineering Attacks
Phishing - Phishing is one of the most common social engineering attacks and one we see nearly every day. Phishing involves sending emails to trick the recipient into downloading an attachment, clicking a link, changing account numbers, and more. Often attackers will do additional research on the recipient and target the attack. This type of targeting is called spear phishing. These attacks are highly effective!
Vishing - Vishing is much like phishing, but using the phone. In this attack, the attacker will make a call to the intended victim and typically pretend to be an IT company. Their intention is the same as phishing - to get a victim to give up their credentials or to visit a website and download a file.
SMiShing - SMiShing attacks are similar to phishing and vishing, but instead, use text messaging services to send the attack messages. Victims receive a text message and are often tricked into clicking a link or responding with sensitive information.
Watering Hole - A watering hole attack is when an attacker compromises a third party website that their victims are known to visit. For example: If the target is local attorneys in an area, the attacker may choose to attack and compromise the local Bar Association website, knowing that local attorneys will likely go to the website frequently. Once the attorneys visit that site, they may be prompted to download malware, give away credentials, and more.
Tailgaiting - Tailgaiting is a physical attack in which an attacker follows someone into a restricted area. These are common attacks on IT systems. Once entry is gained to a facility, the attacker can not only steal physical data but can also potentially install remote access software and devices to gain access after leaving.
Preventing Social Engineering Attacks
Security Awareness Training - One of the most pervasive ways to avoid social engineering attacks is to properly train your staff to understand the challenges they’ll face. Security awareness training is a critical tool in this fight and is why Coalition provides free training to all our insureds.
Multi-Factor Authentication - Multi-factor authentication (MFA) requires users to have more than just a username and password to access a system. If a user is tricked into revealing their username and password through social engineering, MFA can prevent the attacker from being successful if their intent was to steal credentials.
Email Security - Most social engineering attacks you’ll face will come over email. You can help protect your email against spoofing using free technologies such as SPF, DKIM, and DMARC. You may also choose to use advanced email filtering technologies that will scan your email prior to delivery to remove or quarantine malicious mail.
As long as there are humans, there will be social engineering. While tools and technologies are certainly helpful, security education and awareness is often the difference between success and failure in these kinds of attacks.
For more information on this topic, please reach out to us. We’re here to help!