Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. Social engineering is often associated with phishing, social website scraping and watering hole attacks.
How is Social Engineering Used in Cyber Crime?
Social engineering leverages what people know, do, how they think or how they operate to get access to key information that aids in an attack or to elicit particular behavior that initiates an attack.
Step1: Reconnaissance: Harvest information for targeted attacks
- In the case of harvested information, social engineering is frequently the first step of sophisticated multi-step attacks. Complex social engineering attacks like advanced persistent threat attacks (APTs), CEO fraud, crypto currency attacks, and any targeted cyber-attack will use social engineering as a first step.
- Frequent reconnaissance methods include:
- Harvesting information from social websites: Facebook, Twitter, LinkedIn, Public posts online by your company, partner companies, vendors, news organizations, member associations etc.
- Communicating with employees by email, text messaging, or phone to gather targeted information
- Stealing personal information from your PC, smart phone or company servers
- Once this information is in hand, a targeted attack on individuals can be initiated that causes the victim to perform the desired behavior.
Step 2: Cause individuals to initiate a particular behavior leveraging what you know from harvested information.
This behavior will result in an infection that becomes the next step in the cyber-attack process. Frequent attack methods leveraging harvested information include spear phishing, CEO fraud, and water hole attacks. Actions elicited from individuals that drive infections include:
- Clicking in an email link that leads to an infected website
- Opening an email attachment that leverage computer software flaws that cause your computer to become infected
- Visiting a particular infected website and frequently a request to enter login credentials or private information
- Unauthorized, but familiar requests to send money or send confidential information to a 3rd party or bank (CEO Fraud) leveraging what you know about normal ordinary internal transactions.
Solutions to Social Engineering Attacks
Social engineering attacks by their vary nature leverage flaws in the way people think, work or what they do. As a result, there is no one cyber security solution that solves all of these threats. However, some of the top solutions include:
- All solutions start with Risk Assessments to determine where your gaps are and to define a security plan.
- Employee awareness training. Online awareness training is not a very cost-effective option for all companies.
- Implementing of strong 2-factor authentication or multi-factor authentication solutions to ensure online and other accounts are better controlled.
- Install strong core security, such as email security (phishing, spear phishing, CEO fraud), data protection security, gateway/firewalls.
- Implement better controls on what is posted to social web sites and company policies to control this information