Summary of Key Points
- Social engineering differs from other cybersecurity threats by targeting people instead of directly attacking digital assets.
- Common social engineering tactics include baiting, quid pro quo, phishing, spear phishing, pretexting, and tailgating. One or more of these tactics are involved in approximately 50% of all data breaches.
- You can protect yourself and your organization from social engineering by creating a detailed cybersecurity policy, using multi-factor authentication, and frequently updating passwords. It’s also a good idea to consider endpoint detection and response or SOCaaS solutions—both of which VirtualArmour provides.
Social engineering is involved in an estimated 50% of all data breaches, making it a significant threat to organizations and their data. But what exactly is modern social engineering, how is it most likely to target you, and how can you successfully rebuff social engineering attempts?
The team here at VirtualArmour has up-to-date knowledge of the cyber threats currently faced by organizations of all kinds, so we’re here to help you understand the risks of social engineering and the best ways and cybersecurity tactics to keep your data safe from these attacks. Read on to learn everything you need to know about stopping social engineering in its tracks.
What Is Social Engineering?
Social engineering is an umbrella term that describes various tactics aimed at getting victims to commit security errors, thereby compromising sensitive data to which they have access. Unlike attacks that exclusively target technology, social engineering attacks manipulate the psychology of human beings to circumvent their judgment, often by creating a false sense of anxiety or urgency.
Robocalling is an easy example of social engineering, where fraudulent pre-recorded messages impersonating authorities (like government offices or financial institutions) request personal information such as credit card data or login credentials, accompanied by vague threats of legal action or imprisonment if the request is not carried out immediately. This is a form of phishing—a category of social engineering that we’ll explain in more detail later in this article.
Via Adobe Stock.
Where Are Organizations Most Vulnerable to Social Engineering?
Because social engineering uses people as the gateway to access technology, it’s most commonly carried out across endpoints via apps used for communication. Common examples include:
- Text messages
- Phone calls
- Social media platforms (like Facebook and Instagram)
- Messaging apps (like WhatsApp or Signal)
Via Adobe Stock.
What Are the Most Common Current Social Engineering Tactics?
Knowing how modern social engineering attacks manifest is the first step to recognizing and repudiating them. Here are a few of the most common kinds:
- Baiting: this tactic falsely promises the victim something of value (often for free or at an implausibly discounted price), in exchange for a seemingly innocuous action—like clicking a “survey link” to get a free gift card, when the link actually takes the visitor to a spoofed login page that captures their username and password, then provides them to the threat actor.
- Quid Pro Quo: this technique is similar to baiting, but usually involves the offer of a service in exchange for information. One common example is when a threat actor contacts a potential victim and impersonates an IT provider, offering to solve an alleged “problem” by providing free software—which is actually malware or ransomware.
- Phishing: one of the most widely used forms of social engineering by far, phishing involves the threat actor assuming a false identity (often a bank, boss, or government agency) and requesting information that the victim would normally provide to the impersonated party.
- Spear Phishing: this technique goes a step beyond basic phishing by targeting a specific victim with details (usually stolen) designed to lend legitimacy to the attack. One example might be an email where the threat actor impersonates your boss and uses stolen information to reference work details only they would reasonably know before making a request for personal information—in order to convince you the request is genuine.
- Pretexting: these social engineering schemes involve a story (or pretext) that makes an attempt to steal information look more plausible. Pretexting is often a key part of phishing scams—one classic example being the infamous “Nigerian Prince” scams that became world famous at the end of the 2010s.
- Tailgating: one of the simplest forms of social engineering (but nonetheless effective in many cases), tailgating involves waiting until an authorized party has accessed a device or area where information is stored, then following them before the window of entry closes. This could be as straightforward as following a staff member of a company’s IT department into the server room to create a backdoor after the target has unlocked the door with their keycard or biometric scan.
Best Practices for Protecting Your Organization from Social Engineering
Here’s a list of what you can do to keep your organization and sensitive data safe from social engineering attempts:
Create a Detailed Cybersecurity Policy
Enshrining rules for protecting your organization’s data will make your personnel less likely to make errors in judgment when faced with social engineering attempts. This should include a checklist for recognizing suspicious communications, a detailed protocol for physically accessing spaces or devices where privileged information is stored, and a response plan to mitigate the damage any successful social engineering attempts can cause.
Use Multi-Factor Authentication for Endpoints
Having authorized personnel verify their identity more than once when accessing sensitive data creates failsafes. For example, a threat actor may be able to gain a username and password by successfully targeting an employee with a phishing email, but may be rendered unable to exploit those credentials if 2FA also requires them to log in using a code sent to the employee’s mobile device.
Change Passwords Often
Part of your organization’s cybersecurity policy should involve updating passwords on a regular basis—and requiring strong new passwords that haven’t been used before. This reduces the window of opportunity for threat actors to use any credentials they’ve managed to steal in social engineering attacks.
Via Adobe Stock.
Keep Your Data Safe from Social Engineering
The main reason social engineering is so dangerous is that it can affect anyone—which is why organizations of all kinds need to treat it as a serious threat and take steps to protect their data.
In addition to taking the steps above, it’s smart to invest in endpoint detection and response tools that can make access points to your data harder to compromise with malware or stolen credentials. Ongoing cybersecurity support from a team of third-party experts offering SOCaaS solutions can also provide your organization with the resources to respond to data breaches quickly and effectively.
To learn more about protecting yourself, your organization, and your data from social engineering and other cyber threats, contact VirtualArmour. Our team of experienced cybersecurity pros will be happy to recommend strategies for moving you toward a zero-risk IT environment.