One of the biggest threats to information security is the use of social engineering to deceive and manipulate people. Criminals who use these tactics typically find it easier to access restricted information by gaining someone’s trust than by hacking into their computer. Social engineering attacks can occur online, over the phone, and in person, and it’s important to recognize them and respond appropriately. The following are five common attacks to watch out for.
Probably the best-known form of malicious social engineering is phishing. To learn more about how managed IT services can protect your business from this cybersecurity threat, click here. Phishing is a type of email scam that tries to trick victims into revealing information by posing as a legitimate business or individual. A phishing email might seem to come from your bank asking you to login and verify your account. You can often detect a phishing scam by the email address (@bancofamerica.com rather than @bankofamerica.com, for example) or the use of poor grammar in the email.
Another common form of social engineering is pretexting. To carry out this type of attack, the hacker poses as someone the victim trusts in order to gain sensitive information. This strategy involves not just a false identity, but a story, or pretext, that seems to legitimize the request for information. For example, a hacker might pose as an auditor who needs access to the company’s financial records.
Hackers often use malware to collect or disable data, and baiting is a means of getting people to download malware onto their computers. The bait is something the target is likely to find attractive, like a free game or app. The bait might also be a physical flash drive infected with malware. Sometimes hackers send free flash drives by mail as a reward for completing a survey. Another strategy is to give a flash drive a tempting label, like “Salaries and Bonuses” or simply “Private,” and then leave it where someone will be likely to find it and check it out.
Quid Pro Quo
The Latin phrase “quid pro quo” literally means “something for something else.” In a quid pro quo social engineering attack, the hacker offers a service in return for some action they want their target to perform. For example, a hacker might pose as an IT technician who is calling to offer a free software upgrade. To get it installed, the target has to disable their antivirus software temporarily, thus allowing the hacker to install malware on the victim’s computer.
Some social engineering attacks are carried out in person. Tailgating, also known as piggybacking, refers to the practice of entering a restricted area by following someone in. A hacker might ask someone to hold the door, explaining that they left their key card at home. Another form of tailgating occurs when a hacker asks to borrow someone’s phone or laptop to take care of something urgent, exploiting their target’s willingness to help someone in need.
To protect yourself from social engineering attacks, you need to anticipate them and regard any unsolicited email or call with suspicion. Downloading files from an unknown source is especially risky. In addition to being cautious in your behavior, you also need to protect your data with a firewall, antivirus software, and other security measures.