Wikipedia defines Social Engineering in the context of information security as “… psychological manipulation of people into performing actions or divulging confidential information…”
Social engineering attacks on people and organizations are so successful because people have a natural inclination towards trust. The cybercriminals also appeal to human emotions in their communications; typically fear, greed, curiosity, helpfulness, and urgency. Because of this, they manage to persuade people to divulge confidential information, transfer money, or inadvertently install malware.
Types of Social Engineering:
Some of the most common types of Social Engineering are:
Phishing: This technique uses an email (or other electronic communication) disguised as originating from a trustworthy source such as a bank, delivery company or even a co-worker or friend.
Spear Phishing: Unlike regular Phishing, this involves an email that is specifically targeted to an individual or business.
Baiting: In this case, a reward is offered to entice the victim into taking some action.
Malware: Here, a victim is falsely advised that malware is installed on their computer. All they need to do is pay the caller to have the malware removed.
Pretexting: In this case victims are tricked into believing a false identity and providing confidential information.
Vishing: An urgent voicemail advises the target that if they don’t act quickly they may be arrested or face some other risk.
Water-Holing: This method injects malware into a website and any of its visitors.
How to Protect Your Organization
According to Gartner research, “People affect security outcomes more than technology, policies or processes.”
A regular, ongoing testing, education and reporting program for your employees on how to detect social engineering attempts is your best line of defense. It is important to note, however, that everyone’s participation needs to be mandated and monitored by management if such a program is to be effective.
BSC offers such a program at a very affordable price for small and medium organizations. Learn more about our on-line Phishing Security Testing & Training Service here.