The phrase “social engineering” sounds innocuous — but, this approach to hacking threatens organizations of all sizes.
Social engineering may be an unfamiliar term, but the attacks that fall under this category are well-known. For instance, phishing attacks and ransomware attacks have seen massive increases in the last year. By some estimates, ransomware is up 700% and phishing campaigns are up over 200%. This trend will only continue to grow: some estimates suggest that by the end of 2021, ransomware attacks could happen as frequently as every 11 seconds.
As a result, it’s essential to understand what is social engineering, the most common forms of social engineering, and how to prevent social engineering attacks. Here’s our quick guide to social engineering and how to prepare your organization to withstand this growing threat.
What is social engineering?
Social engineering refers to the practice of exploiting people to gain access to buildings, systems, or data. As compared to technical hacking, social engineering preys on human vulnerabilities to get inside a company’s IT system, for instance, and access its valuable information.
There are many famous examples of social engineering attacks, but perhaps the most well-known example is that of the “Nigerian prince” email scam. These emails, in which scammers send emails asking for help to move a large sum of money out of Nigeria, have trapped hundreds of victims. The Secret Service fields approximately 100 telephone calls from victims/potential victims per day — the scam grosses hundreds of millions of dollars annually.
The Nigerian prince email scam is well known, but social engineering attacks take many forms — which can often make them difficult to spot. These incursions leverage email, text messages, social media, and other forms of everyday electronic communications. Employees unwittingly are encouraged to hand over important information that can help break into corporate systems or steal data from a company.
Social engineering examples
Social engineering covers a broad range of hacking activities. Here are some of the most common forms of social engineering.
Phishing is easily the most common form of social engineering. Phishing takes place when a hacker tricks an individual into handing over information or exposing sensitive data using a link (with hidden malware) or a false email. Spear-phishing is a more precise, personal form of attack — emails with links containing malware are highly targeted and sent to well-researched victims. And “smishing” is a form of phishing carried out through SMS and other direct messaging platforms.
Phishing and its variants have been on the rise since early 2020. These social engineering attacks have flourished in the chaos of the pandemic — with scams targeting those applying for economic stimulus funding, or false information about COVID-19 vaccines. A Microsoft survey found that more than 90% of companies have been impacted by phishing attacks since early March 2020.
In pretexting attacks, hackers create a good “pretext” or fabricated scenario by which they steal personal information. For instance, a scammer will call the victim and say they need certain personally-identifying information, like a Social Security number, to verify their identity. The scammer is just using the pretext as a way to steal someone’s identity or get deeper into the organization’s network.
Spoofing and web spoofing are a form of social engineering attack in which fraudulent information is provided through phone calls, emails, or websites. Hackers modify web forms and send them to individuals who innocently provide their private information, such as credit card numbers or SSNs.
Spoofing is not that different from what is known as a “quid pro quo” attack. “One of the most common types of quid pro quo attacks that’s come out in recent years is when fraudsters impersonate the U.S. Social Security Administration (SSA). These fake SSA personnel contact random individuals, inform them that there’s been a computer problem on their end, and ask that those individuals confirm their Social Security Number, all for the purpose of committing identity theft,” wrote one industry expert.
It’s also important to note that these types of attacks aren't mutually exclusive. Good phishing attacks rely on degrees of pretexting and spoofing. Often, social engineering leads to the use of a technical weapon, like malware or ransomware. Team members need to be on alert for all different types of psychological tricks and their variations.
Clearly, social engineering attacks range from the obvious (Nigerian prince email schemes) to the insidious (creating a fake web form to capture personal details). How can you train your employees and coworkers to recognize the plethora of social engineering examples?
How to prevent social engineering
Social engineering is effective because it targets human weaknesses. As a result, your defense to prevent social engineering attacks must be both human-focused and include a technical element.
Training is imperative to help your team be on the alert for phishing emails and pretexting. Educate your organization to watch out for messages with poor spelling and grammar, as well as an email address that doesn’t match the user. As a good rule of thumb, if an offer seems too good to be true, it’s probably an indication of social engineering.
In addition to training, it’s important to implement a safety net in the form of multi-factor authentication, spam filters, and other security solutions. A data loss prevention (DLP) platform that integrates into your cloud programs can also help your IT team monitor for data leaks. Nightfall is one DLP platform that uses machine learning to scan data with over 150 detectors, alerting team members when they share sensitive data in potentially unsafe ways across cloud applications, like Slack, GitHub, and Google Drive.
Nightfall can be fully customized to scan your SaaS and IaaS environments for valuable information that is at risk. IT administrators can set custom actions to prevent employees from inadvertently (or mistakenly) sharing data and delete messages with sensitive data like usernames and passwords, credit card numbers, or protected health information (PHI).
Social engineering is a quickly evolving field — and this guide just scratches the surface. For more, and to learn how social engineering fits into the larger cybersecurity landscape, read our complete 2021 Security Playbook for Remote-first Organizations.
Learn more about Nightfall by scheduling a demo at the link below.