What is Social Engineering?
Social Engineering is the technique used to manipulate people to disclose confidential information. The difference between social engineering and other hacking techniques is that hackers use human psychology to manipulate people to reveal confidential information. Social engineers use several means of contacting individuals to obtain information, including phone calls and e-mails.
Social engineering attacks pose a great threat to companies, making it essential for employees to be educated about the various types of social engineering attacks and to learn how they can prevent them from happening.
The five most common types of social engineering attacks that hackers use are phishing, baiting, pretexting, quid pro quo, and tailgating.
Phishing refers to when an attacker sends a message, in the form of an email, chat, or pop-up message, to a user falsely claiming to be a trusted source in an attempt to fool the user into exposing confidential data. An attachment or link in the message may install malware onto the user’s device or direct the user to a malicious website where they are asked to update personal information. The information the user enters on the website is then captured and stolen by the attacker.
A baiting attack relies on the curiosity or greed of a targeted victim. In this type of social engineering attack, an attacker leaves a malware-infected device, such as a USB flash drive or CD, in an obvious place where someone will find it. The victim will be curious to see what is on the device so they will plug it into their computer and unknowingly install malware into their system.
Pretexting is a form of social engineering in which an individual lies about their identity in order to obtain private information from a targeted victim. An attacker creates a pretext, or an invented scenario, to manipulate the victim into releasing private information. For example, an attacker may contact a company’s IT department and pretend to be an employee in order to obtain the login credentials of an employee’s computer.
Quid Pro Quo
In a quid pro quo attack, an attacker promises some type of compensation in exchange for confidential information. For example, an attacker promises a free item in exchange for a user’s login credentials. If the exchange sounds too good to be true, odds are, it’s a quid pro quo attack.
A tailgating attack occurs when an unauthorized individual follows an authorized individual into a restricted area in order to gain access. For example, an individual may ask an employee who has authorized access into a building to let them in because they forgot their company key card at home.
How to Prevent Social Engineering Attacks
- Never provide confidential information to an unknown or suspicious source. Legitimate sources do not ask for personal information via email, text, or unsolicited phone calls.
- Never click on embedded links in suspicious e-mails or messages. To check if a link is invalid, hover over the link with your mouse- the URL of a suspicious link is usually misspelled or has a different suffix than expected, such as .info instead of .com.
- Never download e-mail attachments from unknown or suspicious senders.
- Keep your computer systems and software up-to-date.
- Educate yourself and others.