Social engineering is a form of deception that attackers use to target your business data and the personal information of your employees. While social engineering attacks are often categorized as cyberattacks, they’re unique in the sense that they’re driven by psychological manipulation rather than by technological hacking.
Here’s a brief rundown of the most common types of social engineering attacks, and how you can recognize and prevent them.
How to Recognize a Social Engineering Attack
Social engineering attacks are designed to trick individuals and company personnel into either divulging confidential information or helping attackers gain access to it.
Social engineers don’t necessarily have to be tech-savvy to get at your company’s data. Instead, they play on human sentiments like fear, trust, and our natural inclination to help others to get what they want.
A social engineer can infiltrate your business through a wide range of malicious activities carried out over email, by phone, or in person. And because their attacks are resistant to data security measures that protect against ransomware and other virtual threats, understanding how to thwart them is critical.
Here are three of the most widely-used social engineering attacks.
1. Phishing
As the most common attack, phishing is usually carried out by email with the goal of stealing confidential information or login credentials.
How it works: Phishing typically uses some combination of fear, authenticity, and a sense of urgency to get recipients to click on an embedded email link. In many cases, the link will redirect to a fake website impersonating a well-known company (like a bank, for example) where the victim will be instructed to fill out a form or enter private login data.
2. Baiting and Quid Pro Quo
Similar to phishing in that they frequently use email (or the phone) to commit identity or data theft, baiting and quid pro quo tactics promise a reward in exchange for information.
How it works: Baiting involves the offer of a free item (like an eBook, for example) that the victim can claim by clicking on an email link (or going to a specific website address) and entering private business account data. Quid pro quo works the same way but offers a free service (like online software access, for example) rather than goods.
3. Pretexting and Piggybacking
While pretexting sometimes plays out by email or phone, both it and piggybacking (aka tailgating) can be used to infiltrate a business in person.
How it works: Pretexting relies on a fabricated story or scenario to mislead a victim into confirming confidential information requested by fake HR or finance personnel, for example, or giving a fake auditor physical access to company records. Piggybacking, meanwhile, is what happens when a social engineer (posing as a delivery driver, for example) follows an employee into a secured building or restricted area by striking up a conversation or asking the victim to hold the door.
Protecting Your Business
Because they exploit human nature, the only way to protect your business from a social engineering attack is with the cooperation of your employees.
To help your staff recognize and fend off deception schemes, make security awareness training mandatory and follow these tips:
- DO insist employees lock their computers whenever they’re away from their workstations
- DO update and have staff review your company’s privacy policy regularly
- DO invest in data security software and restrict access to confidential information and areas
- DON’T allow your employees to open or click through unsolicited emails or attachments
- DON’T permit personal emails to be exchanged over company accounts
- DON’T accept free work-related offers without verifying the source
Preventing social engineering attacks comes down to identifying potential risks in your business, making personnel aware of those risks, and having a risk mitigation plan in place to minimize the impact of a successful assault.