Social engineering is the psychological manipulation of people in the hopes of gaining access to confidential information or systems. It is a form of confidence trick for the purpose of information gathering, fraud, or system access. The attacks used in social engineering can be used to steal employees' confidential information or data, and the most common type of social engineering happens over either phone or email. Other examples of social engineering attacks include criminals posing as service workers or technicians, so they go unnoticed when access the physical site of a business.
Social Engineering Principles
The main methods that cyber criminals use to perpetrate social engineering have existed for a long time. They are based on fundamental psychological principles about human behavior – attackers use these principles to gain access to sensitive data or information.
- Reciprocity: People tend to return a favor. For example, if an attacker is in some way generous or thoughtful, the victim may feel compelled to provide special access or otherwise bend critical rules.
- Commitment: When someone commits, either orally or in writing, to do something, they become more willing to honor their commitment because they then take it as a personal responsibility to fulfill. For example, on auction sites, people will get trapped into bidding higher than they may have initially intended because they wish to ‘win’ the item in question, regardless of how much the item is actually worth.
- Social proof: People will do things that they see other people are doing. For example, a software product endorsed by a celebrity will have a greater sense of value to people, regardless of its quality, because of the endorsement.
- Authority: People will tend to obey authority figures, even if they are asked to perform objectionable acts. In a social engineering attack, this may lead an employee of a targeted organization to provide information to a caller pretending to be a law enforcement official.
- Liking: People are easily persuaded by other people that they like. Simply being pleasant and friendly is often enough to allow special access to an attacker.
Main Forms of Social Engineering
Cybercriminals use social engineering to effectively administer a number of cyber attacks:
- Phishing: A technique of obtaining private information through manipulative means. Typically, the phisher will send an email that appears to come from a legitimate business requesting authentication of information and warning the victim of complications should it not be provided. That threat leads the victim to reveal sensitive information.
- Water holing: A targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. The victim feels safe doing things they would not do in a different situation. The attacker then readies a trap for the victim at the trusted location.
- Quid pro quo: An attacker contacts random people at a company, claiming to be calling for a legitimate reason. This person will eventually find someone with a real problem, who is grateful for the proactive help. They will then attempt to get sensitive information from the victim while assisting with their problem.
Social Engineering Defenses
There are a number of defenses available to companies that will help protect against major social engineering attempts on their employees:
- Establishing a standard trust framework: Establishing a strong framework of trust on an employee/personnel level by training personnel on how sensitive information should be handled.
- Scrutinizing information: Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems.
- Following Security Protocols: Establishing security protocols, policies, and procedures for handling sensitive information. Training Employees: Training employees in security protocols relevant to their position.
- Periodic Testing: Developing a framework is important, but it is just as important that the employees are tested to make sure that they are absorbing the information. Running tests to see how employees react to controlled social engineering experiments can help adjust training and discussions in the right direction.
The human systems set up around technology are consistently the weakest link in the security chain. Attention to detail when establishing training and security infrastructure can help to protect businesses from cyber attacks and their related fallout.
- Blog: Don’t be afraid of Social Media in the workplace
- Blog: Can a social engineer capture your flag?
- Datasheet: Barracuda PhishLine
How Barracuda Can Help
Barracuda Email Protection is a comprehensive, easy-to-use solution that delivers gateway defense, API-based impersonation and phishing protection, incident response, data protection, compliance and user awareness training. Its capabilities can prevent social engineering attacks:
Barracuda Impersonation Protection is an API-based inbox defense solution that protects against business email compromise, account takeover, spear phishing, and other cyber fraud. It combines artificial intelligence and deep integration with Microsoft Office 365 into a comprehensive cloud-based solution.
Its unique API-based architecture lets the AI engine study historical email and learn users’ unique communication patterns. It blocks phishing attacks that harvest credentials and lead to account takeover, and it provides remediation in real time.
Barracuda Security Awareness Training is an email security awareness and phishing simulation solution designed to protect your organization against targeted phishing attacks. Security Awareness Training trains employees to understand the latest social-engineering phishing techniques, recognize subtle phishing clues, and prevent email fraud, data loss, and brand damage. Security Awareness Training transforms employees from a potential email security risk to a powerful line of defense against damaging phishing attacks.
Barracuda Incident Response automates incident response and provides remediation options to address issues faster and more efficiently. Admins can send alerts to impacted users and quarantine malicious email directly from their inboxes with a couple of clicks. Discovery and threat insights provided by the Incident Response platform help to identify anomalies in delivered email, providing more proactive ways to detect email threats.
Do you have more questions about Social Engineering? Contact us today!