Keeping software and firewalls up-to-date on our electronic devices may have become second nature to those among us aware of the importance of IT security. But there are threats from hackers specifically designed to circumnavigate these defenses and instead target the person in charge of the device itself. Social engineering is an increasingly prevalent form of cybercrime which exploits human vulnerabilities to gain access. Some types involve technology but others rely on direct interactions between two human beings to enable access to the valuable and personal data which lies beyond. Here are five of the most common attack styles you and your staff should be aware of.
Phishing scams have been around for years. It is the most well-known style of social engineering and yet people still fall for them. These are usually emails but can be IMs, texts or even phone calls which appear to come from a legitimate, trusted source such as your bank, school or doctor. They can request personal information, contain embedded links to malware sites or manipulate and threaten the receiver through the language within. Many email providers weed out phishing scams but some can land in our inboxes, leaving people vulnerable to doing exactly what the hackers want.
A little more thought goes into pretexting social engineering scams as the hacker works to develop a scenario through which they can obtain valuable data and information from companies. They may simply pose as a credible third party and gain the trust of an oblivious employee or, during more advanced pretexting attacks, they may be able to manipulate their contact into unknowingly weakening the entire IT security of the company through basic actions.
This form of social engineering offers victims something for free in return. Usually it’s something downloadable which they can gain access to by entering login details. If the message comes from a trusted company, many people will not think twice about the legitimacy of the offer, let their guard down and give away their personal information.
- Quid Pro Quo
Often taking the form of phone calls, a quid pro quo attack will offer the victim something beneficial. A classic example is hackers posing as IT service people and phoning employees in a company to offer their assistance. People are immediately less suspicious of what they are being asked to download when a real person is telling them to do so. While many of us know not to open links contained in an email from an unfamiliar account, quid pro quo attacks can be very successful. Some can get people to disable their own firewalls and antivirus software before directing them to malware disguised as software. This is just one example, however, and quid pro quo hackers offer a wide variety of benefits and freebies.
Some attacks on our IT security are launched in a more hands-on way. Gaining access to corporate buildings can be a challenge but social engineering has capitalised on a known weakness: our inability to ask questions. Dressed as delivery men or other people who won’t arouse suspicion in a business setting, they loiter outside until they can slip in behind an employee, tailgating on their legitimacy. Alternatively, hackers with good social skills have been able to talk their way past friendly security guards. Once inside they have the potential to access a large number of devices, all of which could contain valuable data or enable the hacker to compromise the network.
It is no longer enough to have great IT security in terms of software, firewalls and even an IT team onsite. The weaknesses now lie not in our technology but in our employees. People need to be educated about social engineering techniques to increase their awareness and minimise the risk of them falling victim to an attempt. It is far harder to strengthen human psychology than it is to strengthen a firewall but corporations must try to do exactly this as the black hat hackers continue to evolve stealthier, cleverer and more dangerous tricks.