October is Cybersecurity Awareness Month and was established 19 years ago by the Cybersecurity & Infrastructure Agency (CISA). Our final article for Cybersecurity Awareness Month’s theme of “See Yourself in Cyber” tests your knowledge of social engineering.
Everyone has heard of computer hacking. So, what are the differences and similarities between computer hacking and social engineering? Computer hacking involves breaking into a system using technical computer skills to gain unauthorized access to the system and the information inside that system. Social engineering deceives another human into divulging information through psychological manipulation. You have probably heard of a few types of social engineering.
Some of the most common types of social engineering attacks are:
Phishing attacks occur via email, text, and social media and messaging apps. Attacks via texts and apps are also called Smishing. The attacker tricks the recipient into clicking on a malicious link. It is the most common form of social engineering attack. An example of phishing is an email that appears to be from your bank providing you with a link to click to reset your password because your accounts has been locked due to too many unauthorized attempts to access it.
This attack is phishing that targets a specific person or organization as opposed to generic phishing which is a large volume attack to disparate populations. A spear phishing example is an email that appears to be from a company executive usually claiming an emergency for not following specific protocols and asking the receiver to perform a specific task such as transfer funds or allow access to a specific area of the network.
Phishing via a phone call which could be either automated or a live person on the line trying to get you to divulge personal information.
In baiting, attackers provide something that victims believe will benefit them. Examples of baiting might be a suggested software upgrade, or a USB dropped in the company parking lot with “valuable” information on it – both of which will end up installing malware onto your system if accepted or used.
Quid pro quo
This attack is like baiting but requires the victim to perform an action in response to the attacker. An example of Quid pro quo is when someone calls pretending to be a service provider and instructs you to perform actions that they need you to provide your security credentials for, but, instead of helping, will actually download malware onto your machine so that they are able to access it remotely.
Pre-texting occurs when a fake identity is used to manipulate individuals. A pre-texter may imitate the victim’s IT helpdesk, their credit card company, or other service provider and ask the victim to “confirm” their username and password, their social security number, their credit card number, or other important information.
Tailgating is a physical breach into a secure area. It occurs when an authorized individual offers access to the secure area to an intruder. If you have ever held the door for an individual following you into a building or a secure section of a building, you may have unknowingly participated in tailgating. This allows someone posing as an employee, maintenance worker, or other individual who normally would be allowed into that area in by holding the door rather than making them badge in themselves.
Hopefully this article has made you more aware of the many types of social engineering ploys and how they work so that you can be better prepared to navigate situations like these in the future. As the population becomes familiar with one type of social engineering, new ones evolve, so it’s important to always be on guard to secure both your person information and your company’s sensitive information.
If you have any questions about social engineering or other cybersecurity topics, please reach out to David Hammarberg leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices. McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC 2 engagement or a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place and provide you with recommendations to detect, respond to, and mitigate and recover from breaches and other cybersecurity events. We can answer any questions and help you determine if a SOC 2 or SOC for Cybersecurity report would be useful for your company.