We all think we know how to look out for a scam right? Maybe most of the time, but social engineering attacks are still occurring regularly because we are allowing it to. Why? Because some of us, or in a lot cases, many of us, aren’t trained at work, in what to look out for and it seems odd to us, as we know all too well how much of a threat these thing can be.
We’ve covered off on some of these things before, but with a rise of attacks of late, we’d thought we’d refresh your memories! Here are five kinds of social engineering attacks that you might commonly come across and how to identify them.
This is where something is offered to the end user in exchange for confidential info such as login details or any kind of private data required. The bait itself can actually be digital or physical. It could be in the form of a free music or movie download or could even take the form of branded company USB lying around. Once the bait is downloaded, malicious software is installed and hackers can start their job.
Quid Pro Quo
Have you heard of the saying , if an offer sounds too good to be true, it probably is? Yep you have, and yep it usually is. Quid pro quo is where your info is exchanged directly for a service. So, it might be a call from your friendly IT provider or telecommunications provider offering you a free service right then and there, by asking you for your password directly over the phone, or perhaps a researcher offering you cold hard cash right then in exchange for the company network details “just to check you’re running things right”. Please, if you’re not expecting it, just don’t.
Phishing is a pretty common social engineering attack these days and we like to think the most people can see it coming, but these types of attacks are getting pretty sophisticated. They are basically an impersonation of someone else in the form of an email, chat, advert etc. They will generally attract a sense of urgency or fear, aiming to gather that critical info form the user. It will usually be mimicking a bank, big company or government agency and may ask for details to be confirmed online, offering some kind of prize if their details are entered, or asking for a donation of an exceptional cause. These types of communications are designed to look like the actual branding of the company it’s coming from, and a lot of the time, use a recent tragedy or natural disaster and capitalise on it so it looks current and legitimate. This is why back ups are so important!!
Pretexting can be quite successful as it seems very legitimate to the end user and can get immediate responses in the form of login details and confidential business data. A hacker will create trusting relationship with an individual by impersonating a coworker or someone of authority (think company audits or IT software installs, where an outside company might be used.) Once that relationship has been established, login details are requested and sent and the hacker can get to work. Again, a business should always notify its employees of when these things are occurring, so if in doubt, check first!
Piggybacking or tailgating seems quite an obvious one, but it can be carried out a lot of the time without a second thought given. It occurs when a person physically gets access to a restricted area or system of a business, scary thought really. Has anyone ever asked you to hold a restricted access door for them because they didn’t bring their swipe card to work that day? Or asked you to quickly borrow your computer to check something? If you don’t recognise them, probably best not to in future!
In a nutshell, employees need to be informed of all of these things from their employee, people can be very trusting beings and not even realise some of these things exist! Education and awareness is key.
In addition, these days it should just be second nature not to open emails or click links from people they don’t know and to never share computers or devices.
Businesses should always have an up to date plan in place for recovery if in fact something does go awry. There will always unfortunately be one victim, and we can’t overlook Darwin’s Law of natural selection in some cases ;).
But funnies aside, make sure you have a solid backup and recovery plan and you can at least rest easy know there is a solution to help clean up a potential mess. Ask us if you need help to assess yours if you’re not sure….but we cant help with Darwin’s Law, sorry, that’s on you!