For hackers looking to gain access to company networks, company buildings, and other off-limits areas, they likely will deploy social engineering attacks. Social engineering relies on weak points and errors that team members make while trying to do their work and protect sensitive information.
Our guide to social engineering will help you understand these attacks and how to better protect sensitive information.
What Is Social Engineering Anyway?
In its most basic form, social engineering involves tricking someone into violating company policies or revealing confidential and personal information. A hacker using this tactic would be seeking information that he or she could use to gain access to a computer network or to an organization’s sensitive data.
Most social engineering hacks involve computer networks and personal accounts, but they also can involve a hacker seeking physical access to a secure building or piece of property.
Because the software and techniques used to protect sensitive information on a network work so well, hackers often turn to social engineering. Typically, the weak point in a network security system is the person using it. For example, a person may inadvertently reveal a password and user name combination to a hacker pretending to be someone else.
In very little time, hackers can send out thousands of fake requests for information to team members. It only requires fooling one of the team members to result in a successful social engineering hack. From the hacker’s perspective, social engineering is more efficient than other means of trying to gain access to the network or to confidential data, such as brute force attacks.
Consequences of a Social Engineering Attack
A successful social engineering attack can create a number of consequences for the organization and team members.
- Disruption: When a social engineering hack succeeds, the organization may be out of business for a few hours to several days. This disruption of services negatively affects subcontractors and customers, leading them to look elsewhere for a business partner.
- Financial loss: An organization could suffer a financial loss through the direct loss of money that a hacker is able to steal or through money spent to try to recover from the hack. Hackers also can create a financial loss through compromised data that reduces the organization’s value.
- Loss of trust: After a social engineering attack exposes the sensitive data of your organization and of customers, the organization’s trustworthiness takes a hit. Customers and other partners may not trust your security protocols, making them leery of working with you.
- Productivity loss: When team members must stop their normal workday because of a successful social engineering hack, the organization’s productivity drops. Some of the organization’s resources must immediately go toward dealing with the hack, leaving other tasks unfulfilled.
How Social Engineering Works
Many social engineering attacks are successful because they use information gleaned from surveillance to take advantage of people working on a computer network or in a secure building. Certainly, some social engineering attacks work that are far less sophisticated than those described here. But most hackers will spend a bit of time in preparation to create a successful social engineering hack.
One of the key aspects of a successful social engineering attack is making the request seem as legitimate as possible. A hacker using social engineering may do some research on your organization to come up with ways to try to make a request seem real.
The hacker will collect background information. He or she then will use that information to start an interaction that may appear legitimate. At first, the hacker may make harmless requests to strengthen the trustworthiness of the collaboration. After securing a sense of trust, the hacker then may ask for sensitive information.
Playing on Emotions
Hackers making use of social engineering often will try to play on the emotions of the victim. This can involve techniques including:
- Creating a sense of urgency or time sensitivity for receiving the information
- Projecting guilt if you refuse to help
- Using fear or anger if you try to resist helping
- Developing a sense of trust from you
- Appealing to your curiosity or excitement about a project
- Appealing to your sense of decency and kindness
- Generating a sense of being helpless or in a bad situation
- Creating confusion for you
Overwhelming Number of Interactions
Social engineering also takes advantage of the fact that many network users receive dozens, if not hundreds, of emails and other messages every day. In a large organization or when dealing with quite a few people who work outside the organization, it is impossible for team members to be able to recognize every person who sends an email during the day.
When rushing through messages, team members may not be as careful about questioning the validity of each individual message. They may reply to a social engineering attack without even realizing it.
Example 1: Phishing Attacks
Phishing attacks represent a common form of social engineering. The hacker typically sends a message by email. The message will appear to be legitimate, but the link inside the message goes to a malicious website or launches a piece of code that allows the hacker to gain access to the user’s account, to the user’s device, or to the network.
This is a passive attack style, as the end user is not specifically sharing sensitive information in response to the message. The end user may share personal data after going to a fake website, though.
Hackers will go to great lengths to try to make the message and link seem legitimate. This may include using familiar graphical elements and fonts. The fake URL address in a link may seem real, simulating the actual dot-com address of the company.
Because of the level of sophistication involved, it can be easy for a phishing attack to fool the recipient if he or she doesn’t have the training to spot phishing attempts. On the other hand, poorly done phishing attacks will have typographical or grammatical errors in the message.
The best defense is to never click on a link in a message like this. Instead, open a fresh browser window and type the URL address that you intend to visit.
Similar attacks occur over voice calls (vishing) or over text messages (smishing).
Example 2: Pretexting Attacks
In a pretexting attack, the hacker will request sensitive or personal information from the victim through a message.
The sophistication behind this type of social engineering hack occurs when the hacker creates a fake scenario in which he or she needs the victim’s information. Often, this will involve sending an email that tells the victim the hacker needs just a little bit of personal information to verify the victim’s identity.
To generate additional trust from the victim, the hacker often will pose as a human resources employee or as an employee from a bank or a credit card company. The hacker may even spark fear in the victim by demanding an immediate reply under the threat of suspension of the victim’s account.
The hacker may request that the victim submit this information through a reply to the email, through a link to a fake website that looks legitimate, or by calling a fake phone number included in the email.
Again, victims should never click on links in emails or instant messages. Don’t rely on any phone number inside the message, either. Look up the phone number from a trusted site if you want to make a call to verify the request.
Example 3: Piggybacking Attacks
Although social engineering attacks often involve computer networks and email accounts, some hackers use social engineering to try to gain physical access to an organization’s secure location. The hacker then may try to steal data or hardware through insider access.
In a piggybacking attack, the hacker will appeal to your sense of kindness.
In a secure building, you may need a keycard or a PIN to unlock a door. Perhaps a hacker poses as a fellow employee or as a delivery person waiting to enter the building. The hacker will tell you a story about being unable to get inside the building and ask if you can open the door. Many people will want to help, so they will give the hacker access.
Training is the best way to stop piggybacking attacks. Tell the employee to offer to have security personnel help the person waiting to enter the building without a keycard.
How to Get Started With Defeating Social Engineering
When seeking to reduce the possibility of being the victim of a social engineering attack, companies can take a number of steps. Some of these steps involve training network users to better recognize potential social engineering attacks. Some involve adding software and technological barriers to reduce the number of attacks that make it to the network users.
Step 1: Training Network Users
Organizations need to set up and maintain a training schedule for team members in regard to social engineering attack techniques. Team members do not want to fall for social engineering attacks. But they may not have the know-how or awareness about the techniques hackers use.
Because hackers change their techniques on a regular basis, regular training that discusses new hacks is helpful.
However, team members may become numb to training if it occurs too frequently or if security leaders send constant updates and advice via email. They may begin ignoring the training. They may become less vigilant. Security leaders have to find the right balance between not enough and too much training regarding social engineering attacks.
Step 2: Deploying MFA
When social engineering attacks attempt to trick network users into sharing their personal information for login data, organizations can combat this type of slip-up through the use of multi-factor authentication (MFA) or two-factor authentication (2FA).
By forcing team members to submit both a username-password combination and at least one other form of digital identification, organizations can thwart many social engineering attacks that involve trying to gain illegitimate network access.
If the hacker steals a team member’s user name and password, the network would remain safe as long as 2FA or MFA is in use. The hacker almost certainly would not have access to the additional forms of digital identification the team member needs to access the network.
This extra form of digital ID could involve a PIN sent to the team member’s smartphone via text message or a fingerprint scan. Hackers typically would not have access to these items.
Multi-factor authentication will rely on information within three basic categories.
- Personal information, such as your password or a PIN
- A device or account you own, such as a smartphone or a keycard
- A characteristic unique to you, such as a fingerprint or an eye scan
By combining information and characteristics from within these categories, MFA is very difficult for certain social engineering attacks to overcome.
Step 3: Installing Security Tools
The end user’s ability to protect sensitive data and to make the right choice is always the weakest point in the network. Installing security tools that limit the number of social engineering attacks that reach the end user can greatly reduce the chances of an end user making an error.
These tools can include things like:
- Running antivirus software
- Scanning emails
- Blocking malicious websites
- Blocking requests from IP addresses marked as dangerous
- Deleting phishing messages
- Blocking outgoing requests from team members that seem suspicious or dangerous
Ideally, the software and other tools would block every incoming and outgoing item related to a social engineering attack. However, such tools are not perfect. They won’t stop every attack, and they may even block some legitimate incoming and outgoing messages and requests.
Those in charge of security need to find the right balance in deploying security software. If the system blocks too many legitimate requests, team members will look for ways around it. But if the system doesn’t block enough social engineering attacks, it won’t provide the level of protection your organization needs.
Step 4: Making Use of a WAF
One of the best modern tools an organization can deploy against social engineering attacks is a WAF, or web application firewall.
The WAF protects specifically against application layer social engineering attacks. Such attacks continue to grow in frequency. The WAF will monitor HTTP and HTTPS traffic going back and forth from the internet to the web application inside the network. Should it find a suspicious or malicious attack within this traffic, it will block the traffic.
A WAF is available as on-premises hardware and software. It also is available as cloud-based software. Some WAFs will use machine learning to automatically update their policies to deal with new potential threats. Other WAFs require that you make manual updates to the policies.
Step 5: Hiring a Firm to Do Penetration Testing
Depending on your budget and the size of your organization, you may want to hire a firm to perform penetration testing on your network. Penetration testing involves having a firm run a simulated series of social engineering attacks on the network and on the team members.
Penetration testing is a great tool, as it allows security personnel to easily see weak points in the network. They then can set up training processes that focus on these areas of weakness. They can deploy software solutions that provide focused protection in the areas where the organization needs help too.
Firms that run penetration testing can perform their work on a few different levels.
- They can simulate a random external attack.
- They can work like a malicious insider trying to pass sensitive data to someone outside the network.
- They can operate in a stealth mode, so security personnel have no idea when and where the simulated attack will occur.
- They can perform the attack in full view of the network security team, so they can monitor how the system and the team members respond in real time.
Penetration testing can be pricey. But when you hire a really good penetration testing firm, it is one of the best techniques you can use to battle social engineering attacks.