When people think of data breaches, they often imagine hackers, malware, ransomware, and other technology-based attacks. But one of the greatest threats to your organization and your networks isn’t technical at all. It’s your people.
Social engineers exploit the people in your organization to gain access to your trade secrets, customer information, and finances. They use tricks to gain trust and manipulate their victims. And unfortunately, social engineering is big business; 82% of the breaches in Verizon’s 2022 Data Breach Incident Report (DBIR) included some element of social engineering. One report found that the average organization fends off about 700 social engineering attacks every year.
This is unsurprising, considering that social engineering comes in several forms. This post focuses on how social engineers attack, and how you can keep them from infiltrating your organization.
First, what is social engineering?
Social engineering is a practice as old as time. It is, at its most basic, con artistry, or a confidence trick.
Social engineers manipulate people into giving up information, finances, or other assets, often by pretending to be a trusted individual or legitimate organization. They use a wide range of techniques to do this. While some simply send easy-to-spot phishing emails. Others research marks,use complicated tactics, and play on human emotions — like fear, greed, or anger — to get their victims to reveal confidential information.
The two basic types of social engineering attacks
Many articles about social engineering list the specific tools, techniques and protocols (TTP) attackers use to conduct social engineering attacks, like phishing, smishing, or spoofing but this post is about the mechanics of an attack.
Special engineering attacks can be split into two broad categories: technical and in-person attacks.
What are technical attacks?
A technical attack is probably what you imagine when you think of a social engineering attack. Technical attacks are carried out using technology.
These include phishing and spear-phishing campaigns, in which an attacker researches a mark and sends messages targeted toward that person to get them to divulge information or click on a malicious link. A technical attacker may also use phone calls and voice distortion to trick an individual. They may also hack into a network or use stolen credentials to gain access to an organization's systems or data.
While technical attacks may be the poster child for social engineering, there’s another form of attack that uses manipulation and psychology to compromise your security: in-person attacks.
In-person are exactly that. An attacker gains access to your site and resources by appearing in person and talking their way past your defenses. If you don’t think that’s possible, take the example of a man who pretends he’s delivering donuts to an office. By pretending to be a delivery person, he can get into a site.
In my role as a security professional, I have conducted social engineering attacks as part of penetration tests. During one test, my team had to get close to a coach at a football stadium during a game. I got to the field simply by being kind to an usher and telling her the truth; I had to get down to the field. She should have denied me entry, but she let me pass.
Social engineers are con artists who understand psychology. They know to go to bars where people might be talking about their workdays. They know that employees often leave badges in cars where they can be stolen. They look for careless behavior and exploit it. So what can you do?
Preparing for social engineering attacks
Because social engineering attacks focus on your people, you can best fend them off by educating your employees, leadership and any other stakeholders who might be targeted. This means more than simply providing training. Your employees need to know the forms a social engineering attack can take. For example, many employees are well aware of phishing attacks. Verizon found that just 2.9% of employees fell for them in the last year, and more employees than ever reported phishing emails. Your employees may not, however, be quite as well versed in attackers who look for badges in cars or appear on-site holding a box of donuts.
This may be because phishing tests are common at large enterprises. Other forms of social engineering attacks should be tested as well, however. Your security team should regularly test to see if employees challenge strangers on site, or escort donut delivery folks to the door after they drop off their delivery.
To learn more about the impact of social engineering, read advice from white hat hacker Rachel Tobac on mitigating social engineering risks. To find the holes in your own security, contact us to talk to an expert today.