It sounds like something that might have a department devoted to it at Facebook Headquarters. But the truth is that social engineering is a type of security breach that takes advantage of human behavior to pull off a cyberattack.
What is Social Engineering?
Social engineering, in cybersecurity terms, is defined as an “attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.”
Essentially, social engineering is the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. Social engineering attacks are not only becoming more common, but they’re also increasingly sophisticated. Hackers continue to develop ever-more clever techniques for fooling employees and individuals into handing over valuable company data.
Famous hacker Kevin Mitnick helped popularize the term ‘social engineering’ in the ’90s, but the idea and many of the techniques have been around long before the age of computers and the internet. In fact, social engineering has been around as long as there have been scam artists of any sort.
How Does Social Engineering Work?
Cyber criminals use social engineering tactics in order to convince people to open email attachments infected with malware, persuade unsuspecting individuals to divulge sensitive information, or even scare people into installing and running malware. Social engineering tactics are typically the initial step in a larger-scale attack. By using social engineering to gain access to your network, cybercriminals can mitigate the amount of effort they need to expend. Why waste time hacking into your system, when they can have the ‘keys to the kingdom’ handed right over to them?
What are the Risks to my Business?
We’ve all become familiar with the type of attacker who leverages their technical expertise to infiltrate computer systems and compromise sensitive data. We hear about this breed of hacker in the news all the time, and we are motivated to counter their efforts by investing in new technologies that will reinforce our network defenses.
But not many businesses consider the risk that social engineers pose to their sensitive data. As businesses have begun adopting more effective strategies to preventing viruses and malware, attackers are shifting their approach to trick victims through more sophisticated techniques like social engineering. Once a social engineer has gained access to your network via one of many methods, they are free to browse and steal your data – often without ever being detected, or at least remaining hidden until it’s too late.
“People are inherently trusting. We want to trust others and that’s what a successful social engineering attack comes down to,” says Brian Horton, CEO at Breadcrumb Cybersecurity. “If an employee receives an email that says it’s from another co-worker, most people are going to trust it, especially if it relates to something real and specific,” says Horton. “As long as the email appears to be from a legitimate source, most people will open it. Most people will also click on whatever is in the body of the email because they believe it is a genuine link or attachment,” she says.
That’s with e-mail, but why do these attacks work just as well over the phone, or in-person, such as when someone uses co-worker or other pretexts? “As humans, we rarely want to seem skeptical of another person’s actions,” adds Horton. “Most people want to be kind and courteous, and are especially trained to be compliant in a work environment. If I call up as an angry executive and say “I want to know why this wasn’t taken care of a week ago. This routing number and account number were supposed to be changed, and nobody’s taken care of it. This needs to be taken care of right now!” The employee is highly likely to do what is being asked of them in order to maintain their job security – never stopping to double check whether the call was legitimate or not,” he says.
Because social engineering involves a human element, preventing these attacks can be very tricky for businesses today. In our next post, we’ll break down the most common social engineering techniques and how we’ve seen them used in the real world.