Social Engineering: What is it, how can you stop it and what are the tactics used?
What is social engineering?
Social engineering is a type of fraud. It is used to exploit human error by gaining access to a person’s private data, information, or money through manipulation tactics. The success rate of social engineering relies on the victim unknowingly giving away their data rather than hacking the technology of an individual’s computer. Social engineering is common online via email but has been known to occur on a phone call or by text message.
There are usually two main goals of a social engineering attack – sabotage and theft. In sabotaging the scammer corrupts data so that it causes inconvenience or harm to the individual, and in theft, stealing money from the individual by deceiving them.
What are the tactics used?
There are 4 main techniques used in a social engineering attack which are:
- Phishing: In a phishing attack, the attacker captures the victim’s attention with a message designed to get attention. The targeted person will click the link which then will lead them to a malicious website. Phishing is common on social media, but often takes place via texting or email also.
- Watering hole: In a watering hole attack, the main victim is usually a group of people who regularly visit a certain specific website (usually from the same company). The attacker will then download or launch malicious code into the website that the targets use (for example a forum used by the company on their website). Watering hole attacks are quite uncommon but, may cause the most damage as the target is usually a large company.
- Baiting and quid pro quo attacks: In baiting and quid pro quo attacks, the scammer will provide the victim with information that will benefit the target such as an update of a computer software that is coded with malicious material. Once the software has been downloaded onto the individual’s technology the attacker will take the information from the victim.
- Whaling attack/spear phishing: A whaling or spear phishing attack usually attacks a person who has access to sensitive information belonging to people or companies. For example, these could be senior members of staff or HR administrators. The scammer will conduct in depth research on the individual in order create a message that will cause the victim to respond. These tend to be messages that seem to be highly important to the individual (such as an invoice) or pretend to be from another colleague.
How can you spot and stop social engineering?
There are easy ways to spot a social engineering scam.
– Set your spam filters to high
– Reject requests for help under pressure or offers of help “a quick favour”; incentives.
– Delete any request for personal information or passwords.
– Even when the sender appears to be someone you are familiar with (“the boss”), it is still best practice to check with them if you aren’t expecting any email links or files from them.
– Use strong passwords
– Secure your connected devices – our 8 Tips will help you
If you found this post useful, why not read some of our others here:
- How to spot a delivery scam
- What is smishing?
- How does a phishing scam work?
- Five ways to protect your small business from phishing attacks