Types of Social Engineering

Different types of social engineering

There’s a few different social engineering tactics used by cyber criminals to gain access to sensitive data and information, including:

Phishing

We talked briefly about this last week. This is the most common type of social engineering and is typically delivered in the form of an email, chat, web ad or website that’s been created to impersonate a real organisation e.g. a bank or public utility. Some phishing messages may ask the user to verify their login details on a mocked-up login page complete with logos and branding to look legitimate. Some messages may say that the user has won a prize and request bank information to deposit the “winnings”. And others may ask for a charitable donation after a natural disaster or tragedy.

Baiting

Baiting involves offering something enticing to a user in exchange for login details or sensitive information. The bait could be a music or movie download or some other kind of give away. Once the bait is downloaded or used, malware is placed on the user’s system.

Quid Pro Quo

Similar to baiting, quid pro quo is the request for login details or sensitive data in exchange for a service e.g. a hacker, posing as a technology expert, may call a user and offer free IT assistance or technology improvements in exchange for login details.

Pretexting

Pretexting is the human equivalent of phishing. The hacker creates a false sense of trust with the user by impersonating a co-worker or authority figure to gain access to login details. For example, an employee may receive an email from what appears to be IT support or a chat message from an investigator who claims to be performing a corporate audit. 

Piggybacking

Also known as ‘tailgating’, piggybacking is where an unauthorised person physically follows an authorised person into a restricted area or system. Examples include when a hacker calls out to an employee to hold the door open because they forgot their access card or when they ask an employee to quickly borrow their laptop or phone.

How can your business prevent social engineering attacks?

As with other cyber security threats, prevention is the key when it comes to minimising the risk of social engineering. Here are some of the most effective ways to prevent social engineering attacks on your business:

1. Employee education

Without doubt, the best defence against social engineering fraud is educating your people. Every employee in your organisation needs to know what social engineering is, the common types of fraud, and how to identify and respond to an attack.

2. Policies and procedures

Employees at every level of the organisation need a clear set of guidelines in place to respond appropriately to instances of social engineering. This may include setting parameters and verification checks around releasing and exchanging information, requiring at least two-person authorisation to change any vendor or client payment details, reinforcing the importance of building security, and warning against accessing unknown security devices.

3. IT security

National IT goes to great lengths to ensure that your IT security is fully up-to-date. This includes installing the latest anti-virus software, firewalls and email filters. Unfortunately, for reasons listed here, this is only one aspect of protection. It is not the be all and end all.

4. Test for vulnerabilities

Periodically test the people, processes and technology elements of your social engineering prevention procedures. Look for gaps or weaknesses in your defences so you can work on strengthening them.

5. Insurance

If you do fall victim to social engineering fraud, you want peace of mind knowing that you’re protected against any losses your business may sustain. Standard insurance packages and crime insurance policies often fall short in this area, as there is often an exclusion when the transfer of money, securities or property was performed knowingly by an employee. That’s why having the right insurance cover is so important.

National IT are always happy to discuss these points with you. If you are unsure about any aspect of these prevention measures, give us  a call!