Businesses and organizations have a challenging responsibility to protect sensitive information and prevent data disclosure.
What is social engineering?
Social engineering is when a hacker uses manipulation, influence, or deception to trick another person into sharing information or taking some sort of an action that benefits the hacker. Often, hackers exploit the security gaps in a network. However, in organizations of all sizes, they can bypass layers of sophisticated computer security in seconds because an employee released company information to a hacker with malicious intent. Mostly, social engineers succeed in manipulating an employee and gaining their trust because of the lack of security awareness or security training. Employees can be tricked into allowing a hacker to follow them into a company’s data center or release passwords or user IDs over the phone and online.
- A social engineer’s goal is to gain access to data they can exploit, like:
- PERSONAL INFO (passwords, account numbers)
- COMPANY INFO (phone lists, identity badges)
- SERVER INFO (servers, networks, non-public URLs)
Contrary to common beliefs, social engineers are not easy to spot. Most of the time, they sound like coworkers and people you work for. The first line of defense against social engineering attacks is educating your team and familiarizing yourself with social engineering techniques.
Types of social engineering attacks:
Spear Phishing
Spear phishing is an email attack in which a hacker targets an employee by masquerading as someone they know and trust. Often, they impersonate an authority such as a CEO of a company by finding their information on the company’s website and using it to email people on the company’s corporate domain. Spear phishing is the most effective and common social engineering tactic. When it comes to email, Hackers are becoming more convincing, so when an email is opened, it infects your machine. For instance:
- They abuse the faith in social media sites.
- Almost everyone uses some type of social networking site such as Facebook and LinkedIn, as often as every day, so they develop trust in them. A social engineer uses this trust to send an email saying, “Your account needs to be updated, please click to update your information,” and trick people into responding.
Dumpster Diving
“Dumpster diving” is when a hacker goes through the trash that employees have thrown away and looks for sensitive information, such as:
- Personal identification information that can be found in junk mail like credit card offers, which the hacker uses for identity theft.
- Company contact lists and charts with phone numbers and locations on them make it possible for hackers to impersonate management-level team members.
- A corporate letterhead that could be used as a realistic-looking fake mail.