Phishing, Baiting, and spear phishing are terms that we all have probably heard of, and we know to avoid. What many people don’t know is that these types of scams and attacks actually come under the term Social Engineering.
Social engineering is the act of manipulating or deceiving to carry out malicious scams and cyber-attacks. Using a combination of manipulation and research, social engineering relies on human error to carry out an attack.
The Social Engineering Life Cycle
Social Engineering is particularly malicious as it’s a planned attack with several stages needing to be completed for the hacker to gain access to the system
This is were a hacker will identify potential cyber victims and gathering background information.
A hacker will begin to engage with the victim and develop trust. In this stage the hacker will begin to collect sensitive information that will be needed for the attack.
The hacker begins to carry out the attack using the information gained at the investigation and hook stage.
The hacker will wipe any trace of malicious activity and end the cycle, moving onto the next cyber victim.
Common examples of social engineering attacks
Social engineering attacks come in a wide variety of forms, below are just four examples of these malicious assaults.
Probably one of the most commonly know social engineering attacks, the phisher will gain trust by impersonating an authority’s company or body i.e. HMRC, Banking or even Post Offices.
Relying on human emotion, the phisher will use a tactic to create fear or excitement. Commonly used examples are receiving tax you overpaid or alerting a victim that they need to change their online banking password immediately and it must be done via a specific link.
Similar to phishing, this tactic will use human emotion to get a victim to carry out a task such as a password change.
Spear phishing is targeted, with a hacker chosen a specific individual or business, maybe a company of a certain size. With careful planning and research, the attacker will impersonate a trusted individual within the company and request the victim to carry out a specific task.
The baiting tactic provides the victim with a false promise of something they may want of think they need. Once downloaded, clicked or installed the hacker is able to take over.
Like other scams, this attack relies on building trust with the victim. The attacker will gain trust by impersonating an authority’s company or body i.e. HMRC, Banking etc.
The pretexter asks questions that are required to confirm the victim’s identity, through which they gather important personal data such as bank details, phone numbers etc.
Top tips for social engineering prevention
It can be an easy mistake to make, especially when a phishing attempt can look so real or have personal information. While it can be difficult to prevent attacks, you can be vigilant and adopt some best practices to help keep you and your business safe.
Provide phishing training for your employees.
Make employees aware of what the procedure is if they are unsure about an email or contact, they have received. Carry out a phishing test on your employees, those who fail then may need additional training.
Don’t open emails from suspicious sources.
Remember your bank will never ask you to give out personal details like your pin over email. If you have received an email and are unsure you can always cross-check and contact the provider directly.
If it looks too good to be true, it probably is .
Always take some time to think before clicking on a link or offer. A quick Google search can be a good way to check if an offer is legitimate.
Set your ‘Spam’ features to high on your email.
All emails have spam filters, and this can be a really easy method to block potential threats.
Keep your Anti-virus software up to date.
Make a good habit of scanning your devices every few days to help protect your hardware. (link to anti-virus blog if it’s published)