With today's distributed workforce and our greater reliance on remote work, cybersecurity risks have steadily increased. Social engineering lies at the root of as many as 98% of IT security attacks and roughly 43% of IT professionals report being targeted by social engineering.
When these attacks are successful, they result in significant business impact and losses. Explore the types of social engineering and how you can protect your management, staff, stakeholders, and business operations:
What is Social Engineering?
Social engineering uses human psychology to “engineer” or manipulate people into surrendering confidential information and valuable assets.
For example, instead of hackers attacking your network, they may pose as an IT support person to trick a staff member into revealing their credentials.
Cybercriminals seek passwords, passcodes, consumer data (such as social security numbers), financial data, or business secrets. Alternately, they may try to install software such as ransomware to control and exploit information on your company’s devices.
Social engineering can have wide-reaching effects—as evidenced by the May 2021 ransomware attack that shut down the Colonial Pipeline and the Kaseya data leak. An attack can result in millions of dollars lost in ransom payments and remediation efforts. It is far better to avoid a cybersecurity attack than to recover from one.
Types of Social Engineering
Cybercriminals use several forms of social engineering, including:
Impersonation means that the social engineer pretends to be someone that the victim will trust in order to gain illicit access. For example, they could pretend to be an employee that “forgot” the access card and “tailgate” or follow behind a legitimate employee entering a secured space. Once inside, they can access confidential data.
Cybercriminals often design elaborate storylines to trap unsuspecting management and staff. A classic example is a well-known prince in dire need of your banking details to transfer a large inheritance. These scenarios will often correlate with the specifics of your industry, so be vigilant and always fact-check any requests.
Phishing attacks use email and malicious websites to trick persons into submitting personal information by pretending to be a legitimate institution. For example, cybercriminals could pretend to be a financial institution asking persons to update their online banking details. Clicking on a link in the email takes persons to a fake website to steal their login credentials.
Spear phishing targets specific individuals in your company, often a CEO, CFO, department head, etc. The goal is to gain access to the confidential and proprietary data held by these high-value targets.
Vishing uses phone calls or voicemail to communicate messages that prompt a quick, fearful response from the recipients. They may tell the victim to immediately take action (like calling a number or sending money) to avoid arrest or some other negative consequence.
Smishing uses SMS or text messages with malicious links to steal user data. These links may lead to compromised websites or initiate a call to the cybercriminals to carry out the fraudulent act.
Who doesn’t like a freebie? But these free offers can mask malicious links. Clicking to get the reward prompts a quick download of malware, compromising the safety of that employee’s device and your entire network.
Watering Hole Attacks
These attacks target a specific group of end-users by placing malware on websites and other online resources that they will visit. The objective is to infect as many devices as possible to have multiple access points into their connected networks.
Go to Part II — Social Engineering 101: How to Safeguard Your Business
Originally Published: January 1, 2022
Revised & Updated: August 1, 2023