When considering attack methods a cybercriminal may use to gain access to a network or business’s IT system, the most obvious are cracking passwords, hacking computers or exploiting software vulnerabilities. However, when businesses are trying to increase their security, one of the most dangerous methods is often not given enough attention, these are social engineering attacks.
What is social engineering?
Social engineering attacks rely on human interaction to manipulate users into breaching security policies or giving away sensitive information. These attacks are often more effective as it is easier to find vulnerabilities in people than it is to find vulnerabilities in software or networks.
The first stage of many social engineering attacks is for the cybercriminal to performance research on the target employee or business. Through this research they are able to formulate an attack that will be effective by engaging and deceiving the victim to eventually gain malicious access to a network or system.
Common Social Engineering Attacks
Phishing is the most common social engineering attack, and one of the most common attack vectors in general. A phishing attack is where an attacker sends a fraudulent email disguised to be from a trusted source, with the goal of tricking the victim into clicking a malicious link or downloading a malicious file. Some phishing attempts may be sent out in bulk and be easily spotted through poor spelling and punctuation or if it is sent from an unknown email address. However, threat actors may do significant research before crafting a phishing email to tailor it to the victim. This may include making it look like the email is from a vendor or customer, or including information highly relevant to the target in order to gain their trust, making it more likely for them to open a link or download a file. Hackers can also spoof the email address to make it seem as though the email is sent from a trusted sender.
Baiting is the process of luring a victim into a trap that compromises a company’s network or a user’s personal information. The trap may the promise of a digital item or good to entice the victim, however it is more common to use a physical item. A baiting attack that is common amongst hackers is to leave a USB in a business or its car park. The USB may have a label on it with text that will pique the interest of a potential victim, such as ‘private’ or ‘important’. Once the USB is connected to a computer it will run malicious code and the hacker will gain access to the network or IT systems.
Pretexting is a method of social engineering attack whereby the attacker attempts to convince the victim to share valuable information or login credentials to a network or system. The attacker assumes a false identity, often one a position of authority, in order to fool the victim. An example of this may be an email impersonating a CEO or business executive asking for login credentials for a system as they have ‘forgotten theirs’. This method of social engineering can be similar to phishing, however the focus in on creating a false narrative to obtain the information.
A watering hole attack is a social engineering method whereby the attacker identifies a website that is frequented by a target user or organisation and compromises the website with malware in order to infect the target. This is also a method of supply chain compromise as it uses the prior research to compromise a third party to breach the actual target.
How to protect against social engineering attacks
As social engineering attacks are focused on human interaction, the best method of preventing them is through education of employees and a strong security culture within an organisation. For phishing, baiting and pretexting, employees should be aware of the risk of an attack and methods that cybercriminals are using as this will make it more likely for an employee to notice and report an attempted attack before it is too late.
It can be difficult for a business to protect themselves against watering hole attacks as it is a third-party website that is infected. With this being said, if a business keeps their software and operating systems up to date it greatly decreases the chance of the malware compromising a system. For phishing and pretext attacks it is also best practice to have software in place that will flag phishing emails, email spoofing and malicious links before they even arrive in an employee’s inbox. Mimecast uses AI to do this and can run internal phishing tests to ensure employees notice and report phishing attempts, which can further strengthen an organisation’s security culture.
If you want to find out more on how to protect your business against social engineering attacks, get in contact with us today by clicking the Get In Touch button in the bottom right hand corner of the page!