What is social engineering?
People can be manipulated. Some easier than others. In social engineering, this is used by cybercriminals. They want to extract confidential information from employees in order to gain access to systems in order to steal data, money and more. This 'social' and non-technical strategy is frequently used by cyber-criminals to carry out targeted and broadly oriented attacks.
Types of Social Engineering attacks
Attackers have developed different ways to get your data. We have listed the six most important ones.
This is the most common variant of social engineering. Phishing occurs when a hacker fraudulently communicates with a victim. The communication message seems very real. For example, the communication message encourages the recipient to click on a link in an email or download an attachment in an email message. This misleads the recipient because the link or attachment directly infects the device with malware. Malware, on the other hand, can also share personal, financial or business information with the cyber-criminal.
This variant is similar to phishing. But what makes it different is the promise of an item or product that attackers use to seduce victims. For example, they use the offer of free music or movie downloads. In this way, they want to seduce users to share their login details. Another way of baiting is when they leave a malware-infected device, such as a USB stick, in a place where someone is most likely to find it. This is based on our innate sense of curiosity; someone connects the USB stick to the laptop, and as a result, the laptop is infected with malware, perhaps even without the user noticing it.
Pretexting occurs when an attacker fabricates a false background story to manipulate a victim's access to sensitive data or protected systems.
Quid pro quo
A quid pro quo attack occurs when attackers request private information from someone in exchange for something or some type of compensation.
Spear phishing is a very targeted form of a phishing attack. Spear phishing focuses on a specific individual or organization. Spear phishing attacks are effective because the sender of an email or private message on social media, for example, matches a known person, a colleague or an employer. As a result, trust is gained in the recipient and the sender appears to be legitimate. People have a lot to do with spear-phishing attacks because the email security is not in order, or for example because it seems as if the director is the sender of the email. For more information on email security, read our expert blog 'Decoding email security'.
Tailgating is a physical social engineering technique that occurs when someone, without proper authentication, follows an authorized employee to a secure location. For example, the person may impersonate a delivery person and walk with an employee to deliver a parcel. The purpose of tailgating is to gain valuable (intellectual) property, confidential business information or access to a secure location. This does not work at all companies. In larger organizations, you often need keycards to get past doors. In medium-sized companies, attackers often get the chance to have conversations with employees and use this familiarity to get past the counter.
How do you protect yourself against social engineering?
Ignorance is your biggest weakness and is extremely easy to exploit, making the uneducated the main target for attackers. Knowing what to look for and best practice techniques are your first and best layer of defence.
Be aware of the information you are releasing
This encompasses both verbal and social media. Sites like Instagram, Facebook and Twitter are abundant sources of information and resources, from pictures to interests that can be played upon. A simple Google maps search of your home or work address gives a bird’s eye view of the building and its surroundings.
Determine which of your assets are most valuable to criminals
Make sure you are protecting the right thing! When deciding which assets are most valuable to an attacker be sure not to focus solely on what you or the business find to be most valuable. Cyber attackers are interested in anything they can monetise.
Enforce and follow policies
After identifying which assets are most tempting to attackers, and the pretext they are likely to use to target it, write a security policy – and follow it! In a business context, all employees need to play their part. Everyone is a potential doorway into the business and its assets. It only takes one door to be ajar for an attacker to gain access
Keep your software up-to-date
Attackers using social engineering techniques are often seeking to determine whether you are running unpatched, out-of-date software. Staying on top of patches and keeping your software updated can mitigate much of this risk.
Don’t be the weak link… Be smart, be vigilant, be cyber secure!
Today’s threat landscape poses a real risk to your sensitive data, profitability, and reputation. Cybersecurity must be a continuous practice that requires a clear understanding of how users, customers and applications access data and how devices are configured.
has specialised in assessing, building, and managing enterprise information security for over 15 years. Our extensive engineering experience gives us an opportunity to develop security strategies and solutions that respond to your evolving business challenges.
Our expert security team helps you limit risk from modern-day threats.
Social engineering by numbers
- 98% of all cyber attacks are dependent on social engineering
- 56% of IT decision makers say targeted phishing attacks are their biggest security threat
- 66% of all malware is installed via malicious e-mail attachments
- The average cost of a malware attack for an organization is $2.4 million.
- New employees
- New employees are most susceptible to social engineering attacks, 60% of IT professionals say they are at high risk.
- Only 3% of targeted users report malicious emails to management
Get in touch with our expertsOur team is ready for you
Do you want to know more about this topic? Leave a message or your number and we'll call you back. We are looking forward to helping you further.
NIS2 advice to CISOs
As a CISO, it is important to understand the requirements of the NIS2 Directive and ensure that your company is compliant in a timely manner.
Nomios Group expands in Southern Europe with leading Italian cybersecurity expert Aditinet
The acquisition of Aditinet strengthens Nomios’ European position as one of the leading cybersecurity service companies.
Automation now: Why the silicon shortage is an opportunity, not a crisis
While it’s easy to view the silicon chip shortage as a massive headache, long production waiting times could actually be a significant opportunity for your business to innovate.