You would be forgiven for thinking that social engineering sounds like something from science fiction, but it is very real. Social engineering is one of the most effective tools in a cyber criminal’s arsenal because, quite frankly, hacking a human is easier than hacking technology. Why would they go through the trouble of breaking into your network when, with just a little convincing, they can be let right in? Fortunately, there are ways that you can use social engineering to your advantage. You can use it against yourself to test your security, and we’re here to explain how.
Before we get into how you can use social engineering, we have to examine the different kinds of social engineering and what they aim to accomplish.
Phishing – This is probably the most commonly known form of social engineering. Phishing is the practice of sending fraudulent emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.
The distinguishing factor that makes phishing so dangerous for businesses is that it takes advantage of the unquestioning nature of most individuals.
A cybercriminal will disguise their phishing attempt as a trustworthy person or entity so the victim will perform the desired action and be none the wiser. Most use one of the methods listed below to entice the target to perform some type of action.
- Too Good to Be True – Lucrative and eye-catching offers.
- Sense of Urgency – Password or account expiration emails.
- Hyperlinks – Obfuscated or misspelled links (Replaced Characters).
- Attachments – Any attachments that are included in the email.
Vishing - Vishing refers to phishing done over phone calls. Since voice is used for this type of phishing, it is called vishing → voice + phishing = vishing.
These attacks are usually executed remotely and can be incredibly effective. Like phishing campaigns, vishing calls can be made with little information and with no prior knowledge of subjects.
These calls attempt to retrieve information that might be restricted and often target the empathetic nature of the individual on the other end of the line. A sad enough story might be exactly what the attacker needs to bypass that second piece of verification to access confidential information.
Physical Infiltration - Sometimes, hackers are brave enough to try to enter your physical workplace to gain information. They take advantage of the kind and unquestioning nature of some employees. Too often, well-intentioned employees may hold doors open for strangers just because they want to be polite, or when they see a new person in the office, they just assume they’re approved to be there. By the time anyone starts to have suspicions, it’s probably too late, and the attacker has already accomplished their job.
“Trust but verify” is a term often used in the security community. That’s not to say that employees should interrogate every new individual in the office, but they should feel empowered enough to approach them and introduce themselves while they find out a little more about why that person is there.
The Solution - Training and Testing
As I mentioned in the beginning, you can test yourself against social engineering. That involves hiring a third party for a penetration test in which they may attempt to phish, vish, or physically infiltrate your organization, depending on what you requested. Of course, you can test all you want, but unless your employees have some fundamental understanding of these threats and how they are so often executed, they will consistently fail these tests. That’s why a good training program is essential to ward off social engineering threats. That could be as simple as providing mandatory training to your employees on dealing with these risks.
A step up from that is a tabletop exercise where you verbally walk through your planned response scenarios without the risk of an actual breach. Then you can go as far as implementing a penetration test to see how well they do when faced with a real-life social engineering situation. If they mess up and let the intruder access something they shouldn’t have, don’t punish them. The purpose and benefit of penetration testing are that it’s a risk-free learning experience for everyone, and you should treat it as such. When employees don’t perform the way you hoped, that could mean that you need to reevaluate your training program.
Remember, cybersecurity maturity is a continuous cycle that you must often revisit to ensure adequacy. If you would like more information about social engineering, you can download our guide here.
Written by Elizabeth Dasenbrock
Elizabeth Dasenbrock is a marketer/graphic designer whose mission has always been to creatively express stories and ideas. Her skill set allows her to convey concepts to particular audiences in a visually appealing way. At TechGuard, she works on the marketing team with a focus on graphic design. In her free time, she can usually be found working on personal creative projects, tending to her houseplants, or spending time with friends and family.