You might hear social engineering and think it has something to do with how your teenager operates social media better than you. Think again!
Social engineering actually has nothing to do with social media at all. It is, however, a term that encompasses a broad spectrum of malicious online activity.
In this blog, we’ll dive into what exactly social engineering is and the six types of social engineering you should know about.
What is Social Engineering?
Social engineering refers to a form of psychological manipulation in order to trick people into sharing access to an organization’s sensitive information. Social engineering capitalizes on human psychology to fool users or employees. Most commonly, social engineering uses email or other communication to invoke fear, urgency, or other emotions in the victim–ultimately causing them to do the desired action (i.e., click the malicious link, reveal sensitive information, or open a malicious file).
Types of Social Engineering
While there is a wide range of tactics that classify as social engineering, there are six main types we will cover here.
- Phishing–phishing (typically in the form of emails) uses shortened or misleading links to redirect users to suspicious landing pages or websites in order to steal personal information (i.e., names, Social Security Numbers, or addresses). No two phishing emails are the same, making them difficult to identify. Read our four tips to avoid phishing.
- Baiting–similar to phishing, baiting is different because it utilizes the promise of an item or good to bait a victim. An example would be offering free movie downloads to trick users into sharing login credentials.
- Pretexting–pretexting involves a scammer impersonating a trusted person by fabricating a likely scenario. Once the victim complies with requests, the attackers steal that person’s personal information or conduct other malicious activities. The most common example of a pretexting attack is when someone calls an employee and pretends to be someone in power, such as the CEO.
- Tailgating–tailgating involves an attacker without proper authentication following an authenticated employee into a restricted area of an organization. For example, the attack might impersonate a delivery driver to gain access.
- CEO Fraud–CEO fraud involves attackers impersonating a key organization figure such as a CFO in order to get an employee to share sensitive financial information or perform a financial transaction. Like pretexting, CEO fraud exploits the trust of an organizational lead to trick an employee into action.
- Quid Pro Quo–also like phishing and baiting, quid pro quo involves the promise of a service in exchange for information. A very common quid pro quo attack uses the Social Security Administration. Attackers ask the victim to confirm their Social Security Number, which allows them to steal the victim’s identity.
Ways to Prevent Being a Victim of Social Engineering
At its core, the strategy of social engineering means preying on human curiosity and psychology to steal information. As an organization, you must help your employees understand the human-centric nature of these attacks in order to prevent and counter them. The following tips should be incorporated into your organization’s daily practice and cybersecurity training programs.
- Lock your laptop or desktop computer whenever you are away from your desk.
- Install anti-virus software on all employee devices. While this does not 100% protect you, it is a helpful first line of defense against a wide range of social engineering tactics.
- Never open emails from untrusted sources. Call the person by phone if you receive a suspicious email message from them.
- Always verify any urgent requests that come from a contact within your organization to confirm they are valid. This is especially true if the request asks for money or sensitive information.
- Always have employees adhere to the company’s policy for letting strangers into your offices or building.
- Encourage employee training and regular reporting of risks. Because social engineering attacks rely on human error and naivety to be successful, employees must play a role in preventing attacks by reporting suspicious behavior.
Plan to Prevent Social Engineering With Managed IT
There are countless really great reasons we believe you should be working with a managed IT service provider. Yes, we’re biased. Yes, it still really matters.
The cybersecurity threat landscape is constantly changing. As a managed IT service provider, we live and breathe it every day. We ensure our clients are as protected as possible from the latest and greatest threats.
If you had no idea what social engineering was before this blog–or maybe you did, and now we’ve scared you–get in touch with our team. We would love to help your business protect itself from preventable social engineering attacks. Schedule a free assessment with a member of our team today.