Security Threats: What is Social Engineering?

Social engineering is the act of manipulating, influencing, or deceiving people to give you the information you seek, usually by gaining their trust. That trust may be gained by posing as someone in authority, a colleague, or just someone who needs help in order to gain control over your computer system.

The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear-phishing, and CEO Fraud are forms of social engineering. Three common forms of social engineering that target businesses:

Phishing: These are the most common social engineering attacks. Most phishing scams seek to obtain personal information, such as names, addresses and social security numbers. Common tactics including using shortened or embedded links that redirect users to suspicious websites in URLs that appear legitimate. Phishing scams may also include threats to induce fear and a sense of urgency in an attempt to manipulate the user into acting promptly.

Spear phishing: This highly targeted type of phishing focuses on specific individuals and/or organizations. These attacks use personal information specific to the recipient in order gain trust and appear legitimate. Hackers usually steal this information from the victim’s social media accounts or online activity and use it to trick the victim into granting access or divulging sensitive information such as financial data or trade secrets.

CEO Fraud: In this type of attack, cybercriminals use spoofed company email accounts to impersonate executives in an effort to trick employees into releasing confidential information. These attacks typically target employees in departments such as HR or accounting, and request confidential tax information or unauthorized wire transfers.

Ways to Prevent Social Engineering Attacks:

  • Create strong password policies and emphasize to employees that passwords should not be shared with anyone (even if they believe they are speaking with someone at the corporate help desk) Do not re-use passwords from other sites for your work account.
  • Leverage two-factor authentication in conjunction with strong passwords.
  • Implement layered security solutions to prevent and detect any phishing threats or other social-engineering attacks.
  • Enforce proper document handling and disposal for sensitive documents and media.
  • Don’t open any emails from untrusted sources. Don’t click on links in emails, instead type the URL to the site in your web browser. Notify friends or family members in person or via phone if you ever receive an email message that seems unlike them in any way.