Social engineering is the temptation of people to reveal sensitive information or to take a specific action. This way of tricking someone into data or getting someone to do something plays on people's natural tendencies and emotional reactions.
Cyber criminals use social engineering tactics because it is usually easier to exploit someone's natural tendency to trust than to look for technical flaws and vulnerabilities in software. For example, it is much easier to fool someone into giving you their password than to try to crack that password yourself. Social engineering can involve telephone calls, emails, text messages or text messages. There is a huge variety of methods for persuading users to divulge sensitive information. Cyber criminals often pose as, for example, bank or help desk employees.
How does such an attack work?
While criminals are constantly evolving their tactics and methods, most attacks follow a certain pattern. First, an attacker collects background information, which is also known as victim profiling. A choice is then made in which way to contact the victim and the attacker tries to create a relationship of trust in order to ensure that the victim shares sensitive information without too much suspicion. Once that data is in, the criminal can use it to carry out his attack. This could include, for example, accessing systems using obtained passwords, carrying out a classic case of identity theft, or using the information for personal or political gain.
Who are victims of social engineering?
Social engineering attacks are very dangerous for both individuals and companies, as large amounts of money can be stolen from the victim in either case. For example, Toyota Boshoku Corporation, a supplier to Toyota, was the victim of a social engineering attack in 2019 that cost them 37 million dollars. The attackers targeted employees of the finance department and pretended to be senior management. The cyber criminals sent emails from a fake (but real looking) business email account requesting an account change. In this way, the financial workers were successfully incited to transfer large sums of money into accounts managed by the cyber criminals.
How do I recognise social engineering?
Knowing the ways in which people can be influenced makes it easier to spot the red flags of social engineering. Requests for certain types of sensitive information, such as login or bank details, should always alert you. Even offers that seem too good to be true should ring alarm bells. Of course you never click on links in an email from an unknown sender, but you are also wary of senders that do look familiar.
Social engineering is a general term that refers to a wide variety of manipulation tactics that cyber criminals use to gain information. When you become familiar with these different forms, you are more wary and less likely to get caught up in the sweet talk. This also applies to the employees of your organisation. Make sure everyone is familiar with social engineering, its dangers and how to recognise it.
1. Baiting
This is an attack where the criminal entices the victim with something free to entice them to click on a link. Think of a free music or movie download that matches the interests of the victim. With this form of social engineering, the victim has to bite into the attacker's bait in order for the attack to succeed.
2. Phishing
Phishing is a well-known way to steal information from an unwitting victim. Although more and more people know what phishing is, it is still a successful tool for cyber criminals. The attacker usually sends an email or app to the target, looking for information that could help with a more important crime. When this information is taken over the telephone, we also speak of 'vishing', with the 'v' of 'voice'. In this category we also distinguish 'whaling' and 'spear phishing', the latter being a phishing attack that is aimed at a specific person (in which the cybercriminals put a lot of effort into profiling). When it comes to a highly placed person, for example managers or C-level employees, we talk about 'whaling' (after all, those are the big fish).
3. Email hacking and contact spamming
This is the basis of much Whatsapp fraud. It is human nature to pay attention to messages from people we know. Some criminals take advantage of this by stealing email accounts or address books in your phone and spamming contacts.
4. Pretexting
In pretexting, a criminal poses as a representative of a trusted organisation with the aim of obtaining sensitive information. This form of attack is widely used to collect information before the actual attack is launched.
5. Quid pro quo
This is a variant of Baiting, in which there seems to be an exchange: I give you something, you give me something. For example, the cybercriminal promises a service or benefit if the victim clicks on a certain link (which instals malware) in return. It looks like a fair trade, but of course it never is.
6. Reverse social engineering
In this form of attack, the attacker convinces the victim that he or she has a problem. Of course, the attacker has the solution to that problem. He tries to get the victim to contact the attacker on his own initiative to help solve his problem.
How do I protect my business from social engineering?
The best form of prevention is to train all employees in your company. When everyone knows how to spot social engineering tactics, it's easier to avoid them. A few tips that can help with this:
- Investigate the source of all suspicious phone calls, emails, and messages. Never click any links or open attachments from senders you don't know or trust.
- Be instantly alert when sensitive data is requested or when large transactions need to be executed under high pressure.
- Also be wary of unexpected requests for help.
- Ensure a solid security solution on your IT systems and keep (all) your software up-to-date.
- Always use strong passwords and a password manager. Let everyone in the company do that.
- Use as little public WiFi as possible and if necessary, use a VPN.
- Use the spam filters in your email program.
- If you are unsure about anything, ask a security specialist or your IT service provider for help.