Social Engineering. What do you need to look for?
Social Engineering could be one of the top sources for Cyber Attacks today. But most people don’t fully understand what it is. Social Engineering is a technique used by cyber criminals to trick or persuade people into giving them critical or confidential information. A good example would be your passwords for everything in your business. Could you give that away without knowing?
Cyber criminals use social engineering to get things that do not belong to them. Today, data is considered one of the most valuable natural resources available to humans. So why wouldn’t a criminal try to get it. It’s something that most people don’t fully understand, and they usually can’t relate it to value. It is indeed valuable and if you put that information in the wrong hands, it could be costly for multiple parties.
So, let’s talk about some Social Engineering strategies and what you should look for.
Social Engineering Techniques
Phishing is probably one of the most commonly used forms of social engineering. Phishing is exactly what it sounds like. It is when the cybercriminal is trying to gain personal information from you by leading you to believe that you are giving information to a reliable source. However, during these attacks you could be giving your information to the absolute worst source. Phishing is most commonly done through email and frequently mimics known good websites. They will try to send you to a website that asks you to login. If you do, you’ve given them your login credentials.
Phishing is typically used to obtain personal information such as; names, addresses, SSN’s, phone numbers, passwords, and anything else that could be asked in a security question. A.k.a. – Be aware of what information you’re giving out.
Pretexting is when the attacker tries to create a pretext, or a cover, that would cause the end user to take some sort of action that would benefit the attacker. A good example would be an attacker contacting their victim acting as someone from the finance department, they would then ask for a bit of information, such as passwords into a system.
The biggest difference between phishing and pretexting is that with pretexting the attacker is trying to create the false reality of a good relationship to gain important information, unlike phishing, where they use fear and urgency. It gives the attacker more time to develop a story that would allow them to get the information they need.
- Quid Pro Quo
Quid Pro Quo attacks are when the attacker offers a benefit in exchange for information. A good example would be an attacker offering IT help and request for your login information to do so. Typically, these services are very inexpensive, or free. If it sounds too good to be true, it is likely too good to be true.
Baiting is a form of social engineering that will entice the target to use something that will take information or data from them. The classic version of this is when you leave a flash drive on the ground marked “Confidential” and the target plugs it into their computer only for it to send all of your information off into space, or allowing the flash drive to download a keylogger on your computer. There are even some flash drives that will physically destroy the computer they are plugged into. Beware of what you plug in or download.
Tailgating is a physical form of social engineering in which an unauthorized individual will trick an authorized individual into allowing them into a location they are not allowed. When they are there, they will gather information or property that they should not have access to. This one will make you think twice when someone asks you to hold the door for them. We don’t want to be rude, but if you needed a key card to get in, you’re doing your company a favor by not letting extra people in.
There are many forms of social engineering that could ultimately hurt you or your company. Unfortunately for all of the good people in the world, there are also bad people trying to take things from us.
Please remember to think twice before giving away your information and don’t worry about asking too many questions before giving your information away to anyone, especially if you can’t see them. Raise the flag when things sound too phishy, or too good to be true, or abnormal. It would be most appropriate to ask the questions before paying the consequences.
Also, remember that we are always here to help you. If you think you’re in the middle of social engineering, or if you feel you have been a victim, don’t hesitate to call. We are always here to help!