Social engineering is a dangerous method of cyberattack. It is the act of tricking legitimate users into providing access to their computers or sharing sensitive information with unauthorized individuals.
It is a particularly difficult method of cyberattack to detect, as it does not infect PCs using traditional methods of malicious links or emails. Instead, it relies on human mistakes in order to penetrate cyber defenses. Therefore, antivirus detection methods such as spam filters and suspicious site identification do not protect against social engineering attacks.
Social engineering attacks often occur following a general lifecycle strategy. In the first step of the cycle, cyberattackers identify and research their targets to find out personal information and to choose the most appropriate attack method.
The second step is initial contact with the victim. Using the prior research, the cyberattacker spins a highly tailored story in order to trick the victim into either sharing sensitive information, or providing access to company systems. In the third step, the cyberattacker builds this relationship of trust with the victim, and over time gains more and more foothold within the company systems. During the third stage, data is often also stolen or company functions disrupted.
Finally, the cyberattacker finishes the cyberattack cycle by exiting the company, often covertly, in order to avoid arousing suspicion. Once this stage is complete and traces of the cyberattack are removed, the cycle can begin again with another target, either within the same company or at a different organization.
Here are some common social engineering strategies to look out for:
Baiting social engineering involves using fake lures in order to trick victims into installing malicious software onto their systems or sharing personal information. An example of a bait would be fake DVDs or USBs that are left in areas where people can easily find and pick them up. After they plug them into a computer, the malware is automatically installed.
Tailgating involves an attacker physically following an employee with higher access in a company building to get into restricted areas of the company. Once an attacker has gained access to these areas, they can compromise company computers by physically plugging in infected media (USBs, DVDs, Hard Drives) into company computers, infecting them with malware.
Spearphishing is a subcategory of phishingattacks where the attacker tailors the email content to a specific target, using research on the company that they are targeting. A spearphishing email may pose to be a specific supervisor in a company to a specific employee, asking for sensitive documents to be forwarded. These are particularly dangerous, as people often let their guard down when they see an email from an sender internal to the company.