Social Engineering
Social engineering is one of the biggest cyber threats to businesses and organisations of all sizes, from startups to companies that operate on an international level.
Social engineering is one of the biggest cyber threats to businesses and organisations of all sizes, from startups to companies that operate on an international level.
For those that fall prey to a social engineering attack, the consequences can be severe, with damages possibly costing millions and a brands’ reputation can be destroyed.
Social engineering is a technique used by cybercriminals where psychological manipulation is used to get members of your workforce to click on links and attachments, or divulge sensitive information.
In short, social engineering sees your employees coerced into revealing confidential information or coerced into performing adverse actions.
Cybercriminals are adept at creating web pages and emails that look legitimate, in their effort to get people to click on links, open attachments, or share personal or company data. This makes it more difficult to know who and what to trust.
Social engineering testing is the first defence against fraudsters using these tactics. A test will assess your company’s systems and personnel, for their ability to detect and protect against these types of malicious attacks.
Testing methods are designed to mirror the techniques used by criminals to highlight weaknesses. The results can be used to improve your workforce’s awareness of cybersecurity.
Social engineering is a term that covers several different types of a cyber attack. A common theme is a fraudster attempting to gain access to a company’s computer network, install malware, or obtain user data such as user names, passwords, and bank details.
The best defences against social engineering include:
– Educating your employees not to open emails from untrusted sources
– Educating your employees not to click on links or download attachments
– Employ a cybersecurity company to run social engineering testing
– Choose a cybersecurity company that can run white-box and black-box simulations
– Choose a cybersecurity company that uses CREST Certified hackers (like us!)
We are a CREST accredited company that employs Offensive Security Certified Professionals (OSCP), also known as ethical hackers. Under a defined scope set out with your company, our hackers systematically infiltrate your systems to find weaknesses in your defence plan and expose vulnerabilities.
Browse our frequently asked questions or Contact us if you have any further enquiries.
Phishing is one element of social engineering and refers to emails created by criminals to imitate those of a known or reputable company or individual. Fraudsters typically send out phishing attacks on a large scale, to increase their odds of success.
With phishing, the aim of the criminal is to entice someone in your organisation into clicking on a link in the email or to get someone to open an email attachment. An attachment can look like a file, photo, movie, or music file, and malicious software can be embedded within these types of downloads.
Phishing attacks can be used to gain access to a company’s computer network or trick an employee into divulging the company’s credit card details. Examples of phishing include the creation of emails that look like they have come from the bank of the company. Emails can be designed with the inclusion of the banks’ logo, headers, and footers.
These emails typically contain a link and the user is encouraged to sign-in, on a webpage that is unbeknown to them, fake. The fake website captures the login details and passwords and the cybercriminal can use these to commit fraud.
Often, phishing emails create a sense of urgency by suggesting that there is a problem. The email will ask the user to verify their details and present a warning of what will happen if they don’t act.
Baiting is very similar to phishing but with this type of attack criminals trick users into revealing personal or company information, account details, customer details, parcel delivery details, or online banking passwords, by baiting the user with a fake offer or service.
Hackers are experts in spoofing renowned brands, recognised enterprises, and companies to bait users into revealing confidential or sensitive information or data. Their tactics might include the incorporation of service updates or security alerts, and attacks are usually targeted at as many recipients as possible, to increase the odds of someone taking the bait.
Pretexting is another form of social engineering that is similar to phishing. Phishing aims to acquire confidential information by creating a sense of urgency and fear. Pretexting takes the opposite tack and aims to build trust through a fabricated story.
The fabricated scenario, or pretext, could involve the fraudster pretending to be an IT support person. Often, the criminal will begin their ploy by needing a few details from the user to confirm their identity. These details can include a mix of non-confidential and confidential information, as part of the method of creating trust.