Cyber threats are consistently catching companies out, meaning organizations must adapt their IT measures and procedures to mitigate the evolving threat. Risk managers should designate cyber threats as one of the top risks to a business and should have relevant controls in place to help manage the threat level.
One of the most important controls that should be in place is security awareness training for all staff. There are many threats staff should be aware of within their emails and browsing. But a threat that may be overlooked is that of social engineering. Employees who have access to confidential information need to be trained or risk becoming victims of social-engineering techniques.
What is social engineering?
In the context of information security, social engineering is psychologically manipulating people into performing actions or divulging confidential information. A social engineer will use confidence tricks to gather information or access systems.
How would a “social engineer” trick you?
Social engineers could call, email or access a one of your company’s locations by pretending to be someone who works for the same organization, a customer or another trusted party (for example, a security guard or building engineer). Social engineers will try to get you to provide them information or access by circumventing the usual means by pretending to be a person of trust. If you are unsure, you should refuse to provide access or information to this person until you verify who they are.
Social engineering techniques
Knowing these techniques will enable staff to identify forms of social engineering. Taking a proactive approach by educating and training staff will mitigate the threat posed by social engineers.
- Phishing: Generally, emails pretending to be someone you know in order to try to get you to reply or act quickly and do something out of the ordinary.
- Pretexting: Someone who impersonates a trusted party by providing a credible story to manipulate an individual into providing access to a building or confidential information. Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim.
- Baiting: The promise of a getting an item with some perceived value for free, which hackers use to entice victims (see, for example, this story about scattering USB sticks around a company and letting employees take it from there).
- Quid Pro Quo: Whereas baiting frequently takes the form of some kind of free item, quid pro quo usually assumes the form of a service (for example, someone assumes the identity of an IT support engineer and asks for access to your computer to fix a problem when you haven’t reported an issue).
- Tailgating (or piggybacking): This is where someone follows an individual into a restricted area.
When used by an experienced social engineer, it's shocking just how effective these techniques can be. Consider, for example, the real-world example in this video of how social engineering works in practice:
Alex Kteniadakis is an Information Security Analyst at Ventiv Technology. A certified ISO27001 Lead Auditor, Alex plans, assesses and improves information security procedures, thus ensuring the protection of data at Ventiv Technology.