DIFFERENT TYPES OF SOCIAL ENGINEERING
There’s a few different social engineering tactics used by cyber criminals to gain access to sensitive data and information, including:
We talked briefly about this last week. This is the most common type of social engineering and is typically delivered in the form of an email, chat, web ad or website that’s been created to impersonate a real organisation e.g. a bank or public utility. Some phishing messages may ask the user to verify their login details on a mocked-up login page complete with logos and branding to look legitimate. Some messages may say that the user has won a prize and request bank information to deposit the “winnings”. And others may ask for a charitable donation after a natural disaster or tragedy.
Baiting involves offering something enticing to a user in exchange for login details or sensitive information. The bait could be a music or movie download or some other kind of give away. Once the bait is downloaded or used, malware is placed on the user’s system.
- Quid Pro Quo
Similar to baiting, quid pro quo is the request for login details or sensitive data in exchange for a service e.g. a hacker, posing as a technology expert, may call a user and offer free IT assistance or technology improvements in exchange for login details.
Pretexting is the human equivalent of phishing. The hacker creates a false sense of trust with the user by impersonating a co-worker or authority figure to gain access to login details. For example, an employee may receive an email from what appears to be IT support or a chat message from an investigator who claims to be performing a corporate audit.
Also known as ‘tailgating’, piggybacking is where an unauthorised person physically follows an authorised person into a restricted area or system. Examples include when a hacker calls out to an employee to hold the door open because they forgot their access card or when they ask an employee to quickly borrow their laptop or phone.
HOW CAN YOUR BUSINESS PREVENT SOCIAL ENGINEERING ATTACKS?
As with other cyber security threats, prevention is the key when it comes to minimising the risk of social engineering. Here are some of the most effective ways to prevent social engineering attacks on your business:
1. Employee education
Without doubt, the best defence against social engineering fraud is educating your people. Every employee in your organisation needs to know what social engineering is, the common types of fraud, and how to identify and respond to an attack.
2. Policies and procedures
Employees at every level of the organisation need a clear set of guidelines in place to respond appropriately to instances of social engineering. This may include setting parameters and verification checks around releasing and exchanging information, requiring at least two-person authorisation to change any vendor or client payment details, reinforcing the importance of building security, and warning against accessing unknown security devices.
3. IT security
National IT goes to great lengths to ensure that your IT security is fully up-to-date. This includes installing the latest anti-virus software, firewalls and email filters. Unfortunately, for reasons listed here, this is only one aspect of protection. It is not the be all and end all.
4. Test for vulnerabilities
Periodically test the people, processes and technology elements of your social engineering prevention procedures. Look for gaps or weaknesses in your defences so you can work on strengthening them.
If you do fall victim to social engineering fraud, you want peace of mind knowing that you’re protected against any losses your business may sustain. Standard insurance packages and crime insurance policies often fall short in this area, as there is often an exclusion when the transfer of money, securities or property was performed knowingly by an employee. That’s why having the right insurance cover is so important.
National IT are always happy to discuss these points with you. If you are unsure about any aspect of these prevention measures, give us a call!