The human systems set up around technology are consistently the weakest link in the security chain. Attention to detail when establishing training and security infrastructure can protect businesses from cyberattacks and their related fallout.
Social engineering is the psychological manipulation of people to gain access to confidential information or systems. It is a form of confidence trick for information gathering, fraud, or system access. The attacks used in social engineering can be used to steal employees’ confidential information or data, and the most common type of social engineering happens over either phone or email. Other examples of social engineering attacks include criminals posing as service workers or technicians, so they go unnoticed when accessing a business’s physical site.
Cybercriminals use the following social engineering tactics to administer several cyberattacks effectively:
Phishing
Phishing is a technique of obtaining private information through manipulative measures. Typically, the phisher will send an email that appears to come from a legitimate business requesting authentication of information and warning the victim of complications should it not be provided. That threat leads the victim to reveal sensitive information.
Water-holing
A targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. The victim feels safe doing things they would not do in a different situation. The attacker then readies a trap for the victim at the trusted location.
Quid pro quo
An attacker contacts random people at a company, claiming to be calling for a legitimate reason. This person will eventually find someone with a real problem, who is grateful for the proactive help. They will then attempt to get sensitive information from the victim while assisting with their problem.
Social Engineering Defenses
There are several defenses available to companies that will help protect against significant social engineering attempts on their employees:
Establishing a standard trust framework: Establishing a robust framework of trust on an employee/personnel level by training personnel on how sensitive information should be handled.
Scrutinizing information: Identifying which data is confidential and evaluating its exposure to social engineering and breakdowns in security systems.
Following Security Protocols: Establishing security protocols, policies, and procedures for handling sensitive information.
Training Employees: Training employees in security protocols relevant to their position.
Periodic Testing: Developing a framework is essential, but the employees must be tested to make sure that they are absorbing the information. Running tests to see how employees react to controlled social engineering experiments can help adjust training and discussions in the right direction.
Centrality provides the world’s most advanced training and simulation tool, Barracuda’s PhishLine, to measure your organization’s vulnerability to phishing emails and social engineering attacks. Moving your users from the attack surface to part of the solution, PhishLine helps sharpen their anti-phishing skills with end-user testing, reporting, and comprehensive metrics. If you have questions or would like more information about Phishline, contact us at 502.267.2552.
