Many organizations focus on technological controls to protect their assets. But that’s only part of the story! Smart attackers use social engineering to achieve their goals in compromising networks and data. In a social engineering attack vector, attackers lie or present deceptive fronts to convince people to divulge information or take some action that allows the attackers access.
What is the Goal of Social Engineering?
Many attackers ask directly for money or financial information, like bank account numbers or credit card numbers. Within a corporation, attackers may attempt to divert payments into their own accounts by asking targets to change a pay-to account.
Attackers may also convince targets to give up personally identifiable information (PII), like current or former addresses or social security numbers. The attacker may then sell the information or use it toward another attack, like password/security question guessing or identity fraud.
If the attacker is targeting a larger organization, he may aim for proprietary information or access to internal systems. Some attackers use social engineering to gain passwords or MFA codes. Those can be used to gain access to email, data repositories or business-related applications.
Social engineering doesn’t always result in a user disclosing data – if an attacker can convince targets to download a malicious program, they may use the malware as a foothold in the network or simply exploit the “owned” computer’s network bandwidth or processing power.
What Methods Do Attackers Use?
Attackers use different techniques depending on their goals. They may issue a large number of identical emails in an attempt to maximize the number of responses, or for a targeted attack, they may send out individual requests with customized content (known as spearphishing).
Social engineers use any method that allows them to communicate with a target. Email or SMS / text messages are favorite methods, since they can be done on a large scale. Occasionally, attackers use phone calls pretending to be a trusted entity like a bank or even family member or friend.
Less commonly, attackers can use traditional mail to communicate with targets – an approach that predates the Internet.
What’s Important for Me to Know about Social Engineering?
Many people believe they are “too smart” to fall for a social engineering attack, but the truth is that anyone can fall victim. Attackers combine and exploit common human traits to succeed in their goals. These can include a false sense of urgency, or components that pique the victim’s greed or curiosity.
Training and solid lines of support with users can help organizations stop or quickly detect these attacks.
No matter what technology is in place to protect an organization’s security, a carefully developed social engineering attack can bypass it. Organizations need to include training, assessment, and protection against social engineering as part of their cybersecurity program.
How can Sedara Help Protect my Organization Against Social Engineering?
Sedara offers a phishing assessment, in which we send out communication and assess the rate of “success”. We can also include social engineering in our penetration testing or security assessments. This service includes a deeper approach, in which we integrate the results of the phishing campaign into our assessment of overall security. Please let us know how we can help you!