At Ascend, we write a lot about the technical aspects of cybersecurity. We focus on cutting-edge topics in malware, ransomware, even machine learning. But one of the most insidious and effective cybersecurity threats around doesn't involve a single line of code: social engineering.
What Is Social Engineering?
Social engineering, in the context of cybersecurity, “refers to psychological manipulation of people into performing actions or divulging confidential information.” It’s an alternative and a supplement to the technical side of cybercrime, a way for criminals to gather information and access without going through your network’s defenses. Instead of taking on your security, they will target employees themselves, preying on people’s trustworthiness and emotions in order to get them to give up critical data.
You’ve seen it before, if in primitive form. In fact, you’ve probably been a target. Don’t think so? Does this ring a bell: Nigerian prince asking for help transferring millions of dollars, offering a percentage? A popup “from the FBI” claiming you’ve done something illegal on your computer?
Social engineering takes many forms, from the basic email phishing scams all the way up to corporate espionage. The list of techniques goes on and on, with attackers coming from all angles: baiting, phishing, spear phishing, pretexting, scareware…but one thing remains the same: the target is you.
Social engineering might take the form of:
- Someone calling and pretending to be a network or account administrator and asking for the victim's password to perform maintenance or fix an issue. In some business cases, the attacker may claim to be the employee’s CEO or other leader, leveraging that power relationship in order to extort the victim
- Claiming that the victim has won a prize…but first, the victim must turn over their credit card or banking information in order to receive it
- Sending a form that asks the victim to enter a new password for some unrelated reason, and then using the same password to access other accounts. Millions of people reuse the same passwords for everything, and are laid bare once that password is discovered
- Social networking attacks: so much of our information is online and publicly available. It is incredibly easy for criminals to spend a few days gathering personal information, so that when they contact (or impersonate) their victim, they have everything they need to put on a convincing front and get the information they’re after
Why Is Social Engineering Such a Problem?
Because it hits us when we’re most vulnerable, and where we’re most vulnerable. Why go toe-to-toe with iron-clad security measures when tricking people is so much easier?
By exploiting our most powerful emotions, skilled social engineers can manipulate people like putty. They target people’s vanity, their greed, and especially their desire to be helpful and kind. Even more than that, they target people’s ignorance and innocence.
Think about how careful you and your coworkers are with your company’s data. Do you have rigid processes in place for giving out information? If you’re in a large organization and an important company leader called your desk right now, impatiently demanding sensitive information, would you give it to them? Would you test them to make sure it’s them, at the risk of pissing off your boss’s boss’s boss? Would you really? Maybe so. But maybe not. People assume the best, and they assume what’s going on is benign.
Social engineering is also incredibly hard to detect, because not only is it multi-channeled and lacking in clear form, but it is not usually in itself a complete strategy. It is one step in complex fraud schemes, allowing criminals to bypass security systems that they either cannot or do not want to risk overcoming. The source of the attack is difficult or impossible to trace, and detecting an intrusion is a lot harder when it’s not an “intrusion” in the first place, but instead was simply a criminal entering the correct login information.
What Can You Do to Avoid Becoming a Victim?
Social engineering prevention starts at the ground level, with employee education and security awareness training. Everyone in your company should be trained to be on the lookout for attacks: where they come from, what they’re after, what they look like.
Standard protocols for handling sensitive information should be established, so that attacks will be clear deviations from that agreed-upon standard. When your boss calls you, he knows that he’ll have to verify his credentials. If he won’t or can’t do that, you know to say no.
After education and training, it is still important to ensure that your company and your employees are secure. In order to do so, many companies will carry out penetration tests, which are fake attacks by the company on itself, with the goal of identifying security weaknesses. These penetration tests can expose some of the lingering holes in your defenses, and help patch them before real criminals find them
If you’re unsure about your company’s security, it would be well worth the time to establish some ground rules and policies for handling information. Talk to your coworkers, talk to your boss, talk to your team. Social engineering is a difficult threat to eliminate, but with some basic measures, you can severely limit the danger it poses to your organization.
Written by Luke Robbins