The biggest threat to online businesses – Social Engineering Attacks

What is social engineering? 

Social engineering in a greater sense is the psychological manipulation of an individual, but in the context of cybersecurity refers to psychological manipulation which results in the revealing of confidential information that may be used maliciously. 

Due to the very nature of social engineering attacks preying on human errors, it poses a fundamental risk to all organizations with an online presence, no matter how big or small. 

Typically, a social engineering attack will follow a trail or deception which is designed to appeal to an individual’s human nature. Sometimes, this attack will be focalized and tailored to a specific target, whilst other attacks may rely on quantity over quality. In some social engineering attacks, such as phishing, it has been argued that making the manipulation or story as unbelievable as possible yields the best results as the people likely to engage with it are also the most likely to diverge information or money. 

However, despite being the most common, phishing is not the only social engineering attack technique. Here are a few and what can be done to mitigate the threat they pose: 

1. Phishing – clicking unsafe links 

Perhaps the most common way for a hacker to gain unauthorized access to company assets is via a phishing scam. A target will be sent a message which aims to trick them into clicking a link, downloading something or directly divulging sensitive information as a reply. 

From smaller scale nuisance cyber attacks to ransomware attacks that have taken down entire government frameworks, phishing remains one of the most predominant social engineering constructs. 

Phishing usually occurs on email, but can also take place via text, call or social media as it simply relies on human interaction with links.  

Therefore, users should always be vigilant of any messages that include a call to action, be it clicking a link or replying sensitive data. It is wise to look out for emails addressed to vague ambiguous receivers (for instance that don’t address the user by name) and emails from organizations that don’t use correct grammar and spelling.  

2. Baiting 

Most people will have come across a baiting social engineering scam at least once but perhaps not understood exactly the danger it poses. One example is the now infamous “You are the 10000th visitor, click here for a prize”. 

Baiting is a construct which revolves around a “too good to be true” offer or advertisement that announces the victim has won something, or is entitled to a fantastic deal. Upon clicking the links, or downloading the software, the hackers will remotely install malware onto the system. 

This construct can also operate in the physical world, with bait CDs or memory sticks being left around offices or internet cafes. Relying on human curiosity to insert the devices into their systems, the hackers can then install malware and gain control. 

Much like phishing, a user should never click a link which looks purposely designed to entice, “too good to be true”, or use any remote devices such as memory sticks that they do not recognize on personal systems. 

3. Scareware 

Designed to frighten, or scare a victim, scareware is a social engineering technique that manipulates targets into thinking that something bad is happening on their device and they need to act fast. 

Examples include popups in browsers that flash with alarms, or play loud noises along with displaying messages such as “This device has been infected” or “This device has been seized for committing crimes online”.  

The user is then prompted to download something or “fix” their device. In reality, the unharmed device is then infected with malware that is installed. 

The best thing to do if prompted with scareware is to simply close the tab, window or browser and see if the message recurs. More often than not, it will not. 

4. Impersonation 

Impersonation also known as pretexting relies on a building of trust between the attacker and the victim. The target is manipulated into thinking that the prompt or call to action they have received is official, and served to them by an organization of authority like the police or the bank. 

Upon replying to the official looking email or following the links and entering their sensitive information, this will be stolen and used fraudulently. 

One good way to mitigate this is ensuring that the site you are logging into has two factor authentication, and to always login to a police or bank website via google as opposed to following links in emails. 

Securiwiser can help your business stay safe in the cyber world via its daily monitoring of cyber threats, including those raised in this article. Start your free trial today by clicking here.