Social engineering is manipulation technique, relying heavily on human interaction and error to gain access to private information, networks and other valuable assets.
These attacks are based around how people think and play on their emotions – when a hacker understands what motivates a user’s actions, they can deceive and manipulate them.
There are 2 goals in social engineering attacks:
- Sabotage – disrupt, corrupt, causing harm and causing inconvenience
- Theft – obtain valuable info, access or financial assets.
How social engineering attacks work
Social engineering attacks rely heavily on actual communications between attackers and their victims.
Steps in a social engineering attack cycle:
- Prepare – hackers gather background information on their victims/targets.
- Infiltrate – a relationship is established, or interaction is initiated, helping them to build trust with their victims.
- Exploit the victim
- Disengage
This process can take places over a couple of weeks or months and carried out via one email or SMS. Sometimes the hacker can carry out this type of attack easily by masquerading as IT personnel, making it simple to gather private details from employees quickly.
Traits of social engineering attacks
Victims of social engineering attacks are usually misled into one of the following behaviours:
- Heightened emotions – this includes emotional manipulation. Victims are more likely to take irrational or risky actions in enhanced emotional states.
- Urgency – emails or communications highlighting time sensitive opportunities, requests or problems that need immediate attention.
- Trust – believability is invaluable. Confidence and trust built through the communications play an important role in an attack of this nature being successful.
How to spot social engineering attacks
- Are my emotions heightened?
- Did the message come from a legitimate sender? Inspect the address and social media profiles carefully when you receive a suspect message.
- Did my friend or colleague actually send this message to me? Ask the sender, via a different method of communication, if they did in fact send you the message.
- Does the website have odd details? Does the website you are visiting have URL irregularities, poor image quality, odd or incorrect logos or webpage typos?
- Is the offer too good to be true? Ask yourself “why am I being offered this?”
- Suspicious attachments or links – Is the message vague and not referring to the attachment properly? Are there typos? Is it a strange topic or attachment to receive a message about?
- Can the person prove their identity? – Don’t allow anyone access to your devices if they cannot verify who they say they are. This is important if you are dealing with IT team for support issues requiring remote access to your device.
How to prevent social engineering attacksÂ
- Education – this is key to preventing social engineering attacks. Education based on cybersecurity best practises and what a social engineering attack may consist of or look like is important.
- Up to date software – be sure your software is up to date, and you have implemented any patches that have been released.
- Don’t share private information with strangers
- Set up and enforce strong cybersecurity policies, procedures and defenses.