What is Social Engineering?
Social engineering is the psychological manipulation of people into giving sensitive information. It’s often done through phishing, baiting, or scareware and can be used for various purposes, such as stealing sensitive information, spreading malware, or gaining unauthorized access to systems. Today, social engineering has become the backbone of many forms of cybercrime because it doesn’t involve technical hacking tools but instead depends on people’s willingness to trust.
What Threats does Social Engineering Pose to Organizations?
One of the main threats that social engineering poses to organizations is the risk of data breaches. By tricking employees into disclosing login credentials or sensitive information, attackers can gain unauthorized access to an organization’s systems and steal sensitive data and use it to threaten the organization.
Social engineering can also lead to the disruption of business operations. For example, suppose an attacker is able to convince an employee to click on a malicious link. It could result in the employee’s computer being infected with malware, which could spread to other computers on the network, further disrupting the organization’s operations.
Additionally, social engineering can damage an organization’s reputation if sensitive information is leaked or if the organization’s customers fall victim to a scam. This can lead to a loss of trust in the organization and result in financial loss.
What are the Different Kinds of Social Engineering?
Pretexting: involves creating a false identity or pretext to obtain sensitive information or access to accounts. Hackers get information from people by telling them a series of lies that seem real on the surface. The scam is often initiated by someone pretending to need sensitive information from a victim to perform a critical task. For example, you got an amazing job offer from a popular firm. They’re offering a base pay that is much higher than the industry standard, which makes you feel very excited. However, once you’ve accepted the job offer, they ask you to send personal information like your address and banking information via email, which makes you feel uncomfortable because no job has ever asked you to do that. In this case, you would want to trust your gut instinct.
Phishing: involves sending fake emails that impersonate reputable and trusted sources like your bank or Microsoft to trick people into divulging sensitive information. Hackers will often site an error with your account and then ask you to confirm information about your login or other personal information.
Vishing: similar to phishing, however, instead of impersonating reputable sources through email, they do it through telephone.
Whaling: is another form of a targeted phishing scam, however rather than targeting the average user, hackers focus on targeting higher- ups like CEOs and CFOs. It’s called whaling because they’re targeting the so-called “big fish” of the company.
Baiting: This involves offering something desirable in order to obtain sensitive information or access to systems. Hackers will often offer gift cards or free USB drives in an attempt to trick the user into providing credentials.
Scareware: This involves using fear or urgency to trick people into taking action.
Quid pro quo: This involves offering something in exchange for sensitive information or access to systems.
A Little Too Close to Home
Recently, the Chicago-based company Sargent & Lundy was hit by a social engineering scam. If you’re unaware, Sargent & Lundy is an engineering firm that designed over 900 power stations and thousands of miles of power systems. The company also works on nuclear security issues with the Department of Defense and holds sensitive data on those projects.
It seems that the hackers gained access to files related to “model files” and “transmission data,” which they use for utility projects, through a hacking style called Black Basta. Black Basta is a double extortion technique that encrypts files on targeted organizations’ systems and demands a ransom to make decryption possible. They also maintain a dark web leak site where they threaten to post sensitive information if the organization does not pay the ransom.
So far, the company has declined to answer further questions on the attack, including whether the hackers had tried to extort them, citing the case is an ongoing investigation.
How Can You Avoid Social Engineering Attacks?
- Be wary of unsolicited emails or phone calls, especially those that ask for sensitive information or try to create a sense of urgency.
- Verify the identity of the person or organization before divulging sensitive information.
- Use strong, unique passwords for all of your accounts, and multifactor authentication whenever possible. If you’re unsure about multifactor authentication, feel free to read our article on MFAs!
- Be cautious when clicking on links or downloading attachments. Always double-check the email address, to see if you can find any discrepancies. For example, does the email have misspellings or contain many symbols?
- Educate yourself and your organization about social engineering risks and how to recognize and avoid these types of attacks. We recommend implementing a software called “KnowBe4,” as it will test your employees to see if they will fall victim to a scam.
- Keep your software up to date with the latest security patches.
- When contacted by an organization that you do business with (e.g., your bank, retailer, etc.) either via phone, email, or text, never respond directly instead contact the organization yourself through their customer service line. Do not contact them through any links or PDFs listed in the initial contact.
Following these best practices can significantly reduce your risk of falling victim to a social engineering attack.
SAGIN, LLC is a professional services firm which provides services in consulting, technology and talent management. If you would like to learn more about these solutions, you can contact us at: +1.312.281.0290 or firstname.lastname@example.org. Also visit us at www.saginllc.com