Social engineering is a security threat that targets humans rather than computers or software. Social engineers use a combination of trickery, coercion, and similar tactics to influence their targets to do what they want.
How Does Social Engineering Work?
Social engineers commonly take advantage of Cialdini’s seven key principles of persuasion:
- Reciprocity: People are more likely to do something for someone who has or promises to do something for them in return.
- Commitment and Consistency: Someone is more likely to do something after making a commitment or if it has always been done that way.
- Social Proof: The “bandwagon effect” means that people are more likely to do something that they see as popular and that everyone else is going.
- Authority: People are more likely to take actions ordered by an authority figure.
- Liking: People want to be liked and will do things that will make them be liked even more or that enable them to avoid embarrassment.
- Scarcity: If something is in short supply, people see it as more valuable and rush to get it before it’s too late.
- Unity: People are more likely to do things that people they like and identify with are doing or suggest.
Many of the most common types of social engineering attacks take advantage of one or more of these principles. For example, Business Email Compromise (BEC) attackers pretend to be authority figures to steal sensitive information or money. Fake invoice schemes take advantage of commitment and consistency; if a company thinks that they have used a vendor’s product or services, then they feel compelled to pay for it.
Types Of Social Engineering Attacks
Phishing is the most common type of social engineering used in cyberattacks. Phishing attacks come in a variety of different forms, including:
- Spear Phishing: Spear phishing attacks are extremely targeted. Spear phishers perform in-depth research on their targets to tailor their attacks and maximize the probability of success.
- Whaling: Whaling attacks are spear phishing attacks targeted at high-level executives. These attacks are designed to look like legitimate emails and attempt to take advantage of the recipient’s authority and power.
- BEC Attacks: In a BEC attack, the attacker masquerades as an authority figure within an organization or a company’s vendor or supplier. These attacks are commonly designed to steal sensitive information or have an employee send money to the attacker.
- Smishing: Smishing attacks are phishing attacks performed over SMS text messages. These attacks take advantage of the fact that companies are increasingly using SMS to reach customers and that link shortening services can be used to conceal a link’s destination.
- Vishing: Vishing stands for voice phishing. These attacks use many of the same influence techniques as phishing but are performed over the phone.
Social Engineering Attack Techniques
In addition to exploiting psychology for influence, social engineers also commonly use trickery in their attacks. Some common attack techniques used in phishing attacks include:
- Malicious Links: Phishing emails commonly contain links to phishing and other malicious sites. These links and the sites that they point to commonly are designed to look like legitimate sites.
- Infected Attachments: Phishing emails may include attached malware or files that download malware. Microsoft Office macros and malicious PDFs are common malicious attachments.
- Lookalike Addresses: To make phishing emails look realistic, phishers may use lookalike addresses. Email addresses that resemble a legitimate domain are more likely to pass a quick glance and trick the recipient.
How To Prevent Social Engineering Attacks?
Phishing and other social engineering schemes are a major threat to enterprise cybersecurity. Best practices for protecting against social engineering attacks include:
- Employee Education: Employees need to know about the social engineering threats that they face in order to best detect and respond to them. An important part of this training is how to identify the various types of phishing attacks and the fact that phishing is not limited to email.
- Multi-Factor Authentication (MFA): Social engineering attacks commonly target login credentials that can be used to gain access to corporate resources. Deploying MFA across the enterprise makes it more difficult for attackers to take advantage of these compromised credentials.
- Separation of Duties: Social engineering attacks are designed to trick targets into sending sensitive information or money to an attacker. Processes should be designed so that payments and other high-risk actions require multiple sign-offs, decreasing the probability that everyone will be tricked by the scam.
- Antivirus and Antimalware: Phishing attacks are commonly designed to deliver malware to a target computer. Antivirus and antimalware protections are essential to identifying and blocking these attacks.
- Email Security Solutions: Phishers use a variety of techniques to make their messages seem more realistic and to trick their recipients. Email security solutions can scan emails for suspicious content and strip potentially malicious content from messages and attachments before delivering them to the recipient.
Social Engineering Prevention With Avanan
Phishing is one of the greatest threats to enterprise cybersecurity and is a common attack vector for malware and data breaches. Check Point and Avanan have developed an email security solution that provides comprehensive protection against a range of email-based social engineering attacks. To learn how to protect your organization and employees against phishing and social engineering, you’re welcome to sign up for a free demo.