Social Engineering

Social engineering is one of the biggest cyber threats to businesses and organisations of all sizes, from startups to companies that operate on an international level. For those that fall prey to a social engineering attack, the consequences can be severe, with damages possibly costing millions and a brands' reputation can be destroyed.

Let us educate your staff and then test their knowledge

If we can bypass your systems through your staff, so can they!!

What is Social Engineering?

Social engineering is a technique used by cybercriminals where psychological manipulation is used to get members of your workforce to click on links and attachments, or divulge sensitive information. In short, social engineering sees your employees coerced into revealing confidential information or coerced into performing adverse actions. Cybercriminals are adept at creating web pages and emails that look legitimate, in their effort to get people to click on links, open attachments, or share personal or company data. This makes it more difficult to know who and what to trust. Social engineering testing is the first defence against fraudsters using these tactics. A test will assess your company’s systems and personnel, for their ability to detect and protect against these types of malicious attacks. Testing methods are designed to mirror the techniques used by criminals to highlight weaknesses. The results can be used to improve your workforce's awareness of cybersecurity. The goals of social engineering testing are to: • Identify potential risks • Test the resilience of your cybersecurity controls - this includes your firewall rules • Identify your digital footprint the information an attacker can gather from the public domain • Raise awareness - of both good and bad practices • Identify security training needs to create an effective cybersecurity training programme

What is phishing?

Phishing is one element of social engineering and refers to emails created by criminals to imitate those of a known or reputable company or individual. Fraudsters typically send out phishing attacks on a large scale, to increase their odds of success. With phishing, the aim of the criminal is to entice someone in your organisation into clicking on a link in the email or to get someone to open an email attachment. An attachment can look like a file, photo, movie, or music file, and malicious software can be embedded within these types of downloads. Phishing attacks can be used to gain access to a company’s computer network or trick an employee into divulging the company’s credit card details. Examples of phishing include the creation of emails that look like they have come from the bank of the company. Emails can be designed with the inclusion of the banks' logo, headers, and footers. These emails typically contain a link and the user is encouraged to sign-in, on a webpage that is unbeknown to them, fake. The fake website captures the login details and passwords and the cybercriminal can use these to commit fraud. Often, phishing emails create a sense of urgency by suggesting that there is a problem. The email will ask the user to verify their details and present a warning of what will happen if they don’t act.

Why is phishing commonly used by hackers?

Humans are often the weakest link in your security and cybercriminals are ready to take advantage of the emotional reactions of you and your staff. Criminals also play on our natural inclination to trust others. The reality is that it is easier to gain access to your computer system, bank details, and passwords using social engineering than it is to hack the software that your company uses. Unfortunately, this means that all of the security software in the world won’t help, if your workforce gives out your passwords and bank details. Phishing is a well-known criminal tactic and even though many people are aware of the general concept, this tact is still quite successful. In addition to this, phishing tools are readily available and simple enough for less-skilled criminals and fraudsters to understand and use. If the link or attachment in a phishing email is clicked on or downloaded, then it may install keystroke logging malware. This can be used to gain knowledge of confidential and critical information, such as usernames and passwords. Further phishing emails attempt to trick a customer, vendor, or an employee into sending money for services or goods to a different bank account, without that person realising that they have done so. Cybercriminals might pretend to be a technical support person or someone else within the same organisation. In this scenario, they are looking to take advantage of people’s natural tendency to help other employee’s or take advantage of the act first and think later mentality. Spear phishing is another term that you may see associated with phishing attacks. Spear phishing has a similar approach to standard phishing, but it targets a specific person. This person will typically be a system administrator, senior executive, or a person with high-level authority.

How can businesses prevent phishing attacks?

The number of attempts of phishing attacks will continue so it is vital that all businesses, large or small, should take action to prevent their success. Social engineering and phishing tests are one of the most successful tools for preparing your workforce, your business, and yourself for defending against phishing attempts. Our social engineering testing is conducted by our CREST (Cyber Security Incident Response) Certified hackers, who will mirror the tactics, procedures, and techniques of cybercriminals and fraudsters. They have an in-depth and up to date understanding of how real hackers operate. During social engineering testing, a simulation is run that is authentic to a genuine cyber attack. This can be run as a standalone test that has a pre-determined objective. The simulations can be performed using two different tacts: • White-box social engineering simulations - these simulations target specific employees using their known email addresses • Black-box social engineering simulations - these simulations are conducted with no prior knowledge of your systems The results of the test will highlight your organisations' detection and response capabilities. It will provide you with a comprehensive report that highlights identified risks and tells you where improvements can be made through your existing training programme. Upon completion of a social engineering test, you and your company will be able to put controls in place to block, detect, and respond to criminal attacks. The advice might highlight the need for better email authentication software, perimeter security, or call for an improvement to user management practices. Some basic advice for your employees and yourself include: • Don’t click on links or attachments from suspicious sources • It is safer to type in a URL compared to clicking on a link within an email • Be wary of emails that convey a sense of urgency or pressure you to take action

What is baiting?

Baiting is very similar to phishing but with this type of attack criminals trick users into revealing personal or company information, account details, customer details, parcel delivery details, or online banking passwords, by baiting the user with a fake offer or service. Hackers are experts in spoofing renowned brands, recognised enterprises, and companies to bait users into revealing confidential or sensitive information or data. Their tactics might include the incorporation of service updates or security alerts, and attacks are usually targeted at as many recipients as possible, to increase the odds of someone taking the bait.

What is pretexting?

Pretexting is another form of social engineering that is similar to phishing. Phishing aims to acquire confidential information by creating a sense of urgency and fear. Pretexting takes the opposite tack and aims to build trust through a fabricated story. The fabricated scenario, or pretext, could involve the fraudster pretending to be an IT support person. Often, the criminal will begin their ploy by needing a few details from the user to confirm their identity. These details can include a mix of non-confidential and confidential information, as part of the method of creating trust.

Social engineering summary

Social engineering is a term that covers several different types of a cyber attack. A common theme is a fraudster attempting to gain access to a company’s computer network, install malware, or obtain user data such as user names, passwords, and bank details. The most prevalent types of social engineering include: Phishing - emails are received that look genuine and these encourage a user to click on a link or download an attachment Spear phishing - a specific high-authority are targeted such as a system administrator or senior executive Baiting - users are tricked into revealing confidential data through the offer of a service to resolve an urgent issue Pretexting - a criminal builds trust with a user through a fabricated story to acquire sensitive company data The best defences against social engineering include: • Educating your employees not to open emails from untrusted sources • Educating your employees not to click on links or download attachments • Employ a cybersecurity company to run social engineering testing • Choose a cybersecurity company that can run white-box and black-box simulations • Choose a cybersecurity company that uses CREST Certified hackers

Social Engineering Quote?

Drop us a line to find out more about how social engineering can help your company remain secure.