For centuries, evil-doers have taken advantage of man's gullibility. Think of the Trojan Horse. A tactic that is still current, when it comes to invading organizations. This is called "social engineering. Cybercriminals use various tactics to manipulate or persuade your employees to release sensitive company information. This manipulation can have a serious impact on your organization. But what exactly is 'social engineering' and how do you protect your organization from it?
What is social engineering?
Social engineering is an attack in which criminals take advantage of people's gullibility, fear and curiosity. One result is a successful attack in which malicious persons gain access to company information such as names, e-mail addresses, login information or even payment information.
Commonly used social engineering tactics
Criminals are constantly looking for new ways to get into your home uninvited. Here are some common tactics.
Phishing
Imagine; you get an email from PostNL 'Your package has arrived at our warehouse, but cannot be shipped due to incorrect address information. Please enter the correct address information and we will ship your order within 24 hours.' Do you then think twice or immediately do what is asked? This method is called "phishing" and is one of the most common forms of social engineering. Still very many people fall for it. At its core, criminals pretend to be someone else to then steal your information, such as credit card information and personal data.
Vishing
The bank calls and says there has been a strange login attempt to your account. They urgently tell you to secure your money by transferring it to another account. The teller sounds very friendly and helpful. But then you lose all your money... This method is called "Vishing," a combination of 'voice' and 'phishing'. The caller pretends to be someone else and tries to trick you into sharing data, logging in, changing login credentials or transferring money.
Pretexting
In pretexting, the attacker makes up an excuse or story to convince his victim to share information. Pretexting can be done through a phone call, a text message, an e-mail and even with a face-to-face meeting. The difference between pretexting and phishing is that pretexting often targets a specific person, a lot of preliminary research is done for this, phishing often targets several people at once.
Distribution of infected USB sticks
Suddenly there is a USB stick on your desk, your colleagues have no idea where it came from either, so you decide to see what's on it. In no time, your entire computer system is hacked. An infected USB drive looks just like an ordinary USB drive, but inside it is a very small, fast computer that automatically executes preset commands. This gives a criminal access to your business systems, such as your Office 365 environment.
Impersonation
Suppose a person comes into your office and tells the secretary that he is a mechanic coming by for a broken pipe. What should the secretary do? Should she let him through, walk with him to the right place, or call the person with whom he seems to have an appointment for confirmation? This method is called impersonation. It involves a criminal pretending to be someone else to trick you or your employees into letting him in. Once inside, he can gain access to company information or perhaps even insert an infected USB stick into a computer.
Quid Pro Quo
Suppose your employee receives a call from someone claiming to be an IT employee, he offers to solve a technical problem. In exchange for this "help," he asks for his/her laptop login information. Later it turns out that this person is not an IT employee, but a criminal who now has access to all your systems. This is an example of a "quid pro quo attack," where a criminal asks for a favor for a favor. You get excited about something valuable, for which you seem to have to give only something small in return. Except that the attacker takes your data without giving you anything in return.
Prevent?
Your employees are perhaps the most important link in your security strategy. To prevent unwanted intrusion by criminals into your organization, it is first important that you have a clear information security policy that includes how your organization handles information. Consider that certain information should only be shared through an agreed-upon medium.
Second, it is important to make your employees aware of tactics used by criminals. You can create awareness by awareness sessions and trainings, informing them of possible scenarios and teaching them how to recognize social engineering tactics. You can also test how resilient your staff is by running a social engineering campaign perform. This allows you to measure how well they are aware of security risks and reinforce this awareness. Only by making technology and employee security awareness work together can you truly protect your organization's digital environment.
Want to know more about how to make your organization resilient against social engineering tactics? Our consultants will be happy to help!
This article was written by Wendy Sikkema. Do you need help or have any questions? Please feel free to contact her without obligation.