Organizations spend a sizeable proportion of their technology budgets on securing their systems. Plenty of time and resources is devoted to security software, monitoring tools, security updates, and system hardening configuration (see DNSstuff for more cybersecurity tips). While all this is important, the history of cybersecurity incidents has proven that it’s humans and not technology that is the weakest link in the security chain.
Though artificial intelligence and machine learning are slowly making inroads into the cybersecurity space, the overwhelming majority of IT security infrastructure used by businesses today is built to conform to the commands issued to it by humans. In that sense, the technology has no mind of its own and only follows the programming code. Humans, on the other hand, have autonomy of thought and don’t always follow a predictable thought and action pattern.
This is why the easiest and most effective avenue of circumventing security controls is social engineering. Social engineering is the use of deception to penetrate enterprise systems. While the threat landscape is growing more sophisticated each day, it’s still social engineering techniques that inflict the most damage on company systems and business data.
Since social engineering heavily depends on manipulating and lying to a human target, there are necessarily various forms the attack may take. The following are the most common social engineering attack methods.
Phishing is by far the most common type of social engineering attack. About half of the global email traffic is spam of which a sizeable proportion are phishing emails. Phishing can however also be executed via SMS, instant messaging and social media. The message seeks to trick the recipient into divulging sensitive information (such as passwords, credit card numbers and social security numbers) or visiting a fraudulent malicious URL.
For phishing to work, the message’s content, colors, logos, images, and contact addresses must mimic those of an organization the recipient considers reputable and trustworthy. The message must also create a sense of urgency by insinuating that a situation may go out of hand if the information is not delivered immediately.
Phishing is a tactic that can be used to obtain virtual access to an application. Tailgating (also referred to as piggybacking) is a social engineering technique meant to give an individual physical access to an area without proper authorization.
At its most basic, the attacker will wait for an authorized person to use their access card or a biometric credential to open an electronic access control door. They’ll then walk in behind them before the door shuts.
More sophisticated tailgating may see the attacker stand near the security door with their arms full of files or other office stationery. When an authorized person approaches the door, the attacker will claim they cannot get their authorization card because their hands are full. They, therefore, guilt-trip the person to open the door for them.
In pretexting, the attacker creates a believable but fabricated pretext that’s meant to lay the groundwork to extract sensitive information from their target. They could, for instance, call the target and pretend to require certain information in order to activate a new system account or verify the target’s identity.
More advanced pretexting will ride on weeks of information gathering in order for the attacker to sound like an insider. For example, if they pick up the names of actual employees in the IT department, the targeted individual will be more trusting of any request for information submitted to them. While phishing’s primary catalyst is urgency and fear, pretexting seeks to build trust.
Social engineering is an old cybersecurity attack technique. It remains a potent weapon for hackers which is why knowing the most common social engineering tactics is crucial.