7 Common Types of Social Engineering Attacks on Businesses
We’re constantly hearing in the news about cyber security and social engineering attacks by hackers who have used their technical expertise to infiltrate businesses and compromise data. As a result, businesses have stepped up their game when it comes to IT security. However, there is another type of attacker using tactics to get around these systems.
Social engineering is now the third most common form of business fraud in the UK. It’s an expensive problem no matter the size of your business. According to Computer Weekly, more than 1 in 10 employees are victims of social engineering attacks. So what exactly is Social Engineering? This refers to hackers who exploit the most obvious weakness in every business, the employees themselves. This cybercrime tactic is much easier than hacking into a computer system.
By using psychology and simply relying on human error they can manipulate our behaviour. Cybercriminals are using social engineering to trick employees into giving them access to data, networks and even money. We list seven of the most common types of social engineering attacks and how they work.
Phishing is the most common and well known type of social engineering scams. Usually done through email, the attacker tries to trick the recipient into clicking a malicious link or open an attachment. Attackers simply create an email address that looks like it’s coming from a known company with the intention to trick you into giving away sensitive information or to infect a computer and its network with a virus or form of ransomware.
Spear phishing is a more targeted form of phishing that focuses on a specific organisation or even one specific employee ie. Finance Manager. A common example of this is CEO fraud. A report by the National Crime Agency shows that CEO fraud cost UK business £32 million in 2018.
Whaling is another targeted form of phishing that focuses on high ranking victims within a company (i.e. CEO and CFO). Since 2013, more than $12 billion has been unwittingly sent by firms through the successful exploitation of CFOs and finance leaders in the U.S., UK and Europe.
Vishing is social engineering done the traditional way, over the telephone. Attackers create a phone number and then trick their victims into calling the number pretending to be a business asking for sensitive information. The most prevalent example in recent years are banking scams involving you giving the fraudster banking details. In 2018, a small number of mainly elderly people were scammed out of £1.2m in three weeks when they persuaded victims to transfer money over the telephone.
SMiShing which is a phishing message sent via text messaging (SMS), is a growing cyber risk. The user is tricked into downloading a Trojan horse, virus or other malware onto their mobile device. As well, scammers can also attempt to acquire personal information such as passwords and details by masquerading as a trustworthy entity via a text.
How many times have you received an email or received a pop up informing you that you’re computer has been compromised? Scareware also referred to as fraudware, is malicious software that tricks users into believing their computer is infected with a virus. Often it suggests that you pay for fake antivirus software to remove it or offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected.
Pretexting is another form of social engineering in which an individual lies to obtain privileged data. It often involves a scam where the attacker impersonates co-workers or suppliers pretending to need information in order to confirm the identity of the person he is talking to. The idea is to create a false sense of trust in order to trick their victim into giving them sensitive information.
Baiting and quid pro quo
Baiting another form of social engineering that relies on the curiosity or greed of the victim. Hackers will entice their victim with the promise of an item or good such as free digital music or a movie download if they give their login credentials. In businesses, employees have offered up their passwords as part of a ‘corporate survey’ or even for free promotional items. The goal is to lure users into a trap to steal their personal information or inflicts their systems with malware.
Baiting attacks can also be launched using physical media designed to exploit employee’s curiosity. There have been many instances where employees simply picked up a USB off the floor, inserted it into their computer and a virus infected not only their computer but the entire network it was connected to.
Similarly, Quid pro quo attacks involve promising a benefit usually in the form of a service in exchange for information. By pretending to be a service that the businesses use (ie. Courier or IT support), this can gain the hacker information or even access to a building.
Tailgating also known as ‘piggybacking’ involves an attacker trying to gain restricted access by often pretending to be a delivery person or employee. It could be simply walking behind a person who has authorised access or even holding the door open for them.
How to protect your business from social engineering
Social engineering costs UK business millions of pounds a year. Designed to work around a businesses cybersecurity defences it, it’s essential that your business is set up to detect and combat all different types of attacks.
Train your staff: The whole point of social engineering is to prey on human nature and error. Educate your staff about the dangers of social engineering and make them aware that it’s not just emails, it can happen over the phone and in person as well.
Use multifactor authentication: One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise.
Keep your antivirus/anti malware software updated: Make sure automatic updates are engaged. Periodically check to make surethat the updates have been applied, and scan your system for possible infections.
Install a spam filter: It’s impossible for a spam filter to stop every phishing email but it can help minimise how many make it into your inbox.
Get Cyber Essentials certified: As part of a Government backed scheme to help businesses improve their cybersecurity, Cyber Essentials addresses the most common internet attacks. As Cubit is certified, we can help youthrough the process.
There is no doubt that social engineering is a significant threat to a business. Use these tips to educate and set guidelines within the work place. Cubit can also help you analyse your businesses security and guide you through the steps you need to take to secure your business on all levels. Contact us now to have a chat.