Social Engineering

Why is Social Engineering dangerous?

Imagine you have hardened your network with the most powerful tools possible. More of that, you have carefully tested your web applications for vulnerabilities and eliminated all weak points.

Now you can breathe out and say: “I am totally safe“, right?

Unfortunately, the answer is “No”. You are still in danger because you have not blocked the most widespread attack vector today – social engineering.

Social engineering is not about attacking computers -- it is about attacking people and hacking human minds. As statistics states, more than 90% of modern cyberattacks are based on or include social engineering techniques.

Why this kind of attack is so popular among criminals? The reason is it’s much easier and faster than attacking a well-hardened technical infrastructure. Breaking into an organization with social engineering can be as easy as sending one e-mail with an infected document to employees. If at least one of them clicks the bait, the attackers get inside your network and your assets are at their dark will.

Thus, your employees turn into a tool of cybercriminals. Affecting people’s minds, perpetrators make people commit self-destructing actions like giving away secret information, running malware or providing access to restricted areas.  For that purpose, the attackers use techniques of deception and psychological manipulation.

Modern devices, documents, eyeglasses on the foreground, unrecognized businessmen on the background

How Social Engineers can attack

Social engineering may come in various flavors. Here are some guises widespread today.

Physical impersonation. Imagine a person who comes to your office, says she is a fire inspector and needs to make some check. But in reality, it’s a criminal or a spy trying to get access to your assets and steal information, install malware or cause some other kinds of damage. Perpetrators can impersonate anyone – from a cleaner to a police officer, but their aim stays the same: Got physical access to your assets with malicious purposes or extract confidential information from your employees.

Phishing. You definitely faced this digital form of Social Engineering many times. It comes in a guise of an email from “your bank”, “Google security”, “a court subpoena”, “ DHL ”,“ your dearest friend” and… you can extend the list with other authoritative entities that you trust. Of course, the emails are faked: If you buy it and click on a link or file in the email, you are trapped. Phishing is aimed at elicitation credentials or making a victim install malware on her computer. As always, the main tools for it are deception and manipulation tricks.

Spear-phishing is a subversion of phishing, aimed at a particular individual, mostly CEO or another influent person. Attackers gather plenty of information about the person before starting the attack, so the malicious email sent to the target looks very plausible.

Vishing. That is a kind of social engineering implemented by phone. Perpetrators call you and, impersonating themselves as some authority person, try to make you commit some self-harmful action. Usually, they pretend to be a “bank security service” and make efforts to extract your secret bank information like PIN and CVV code.

Smishing (SMS phishing) is another infamous flavor of phone-based social engineering. In this case, perpetrators use SMS and instant messengers to send a malicious link or involve a victim in other kinds of malicious activity.

All of these attacks may have devastating implications for the target, be it a person or a huge company.

How to protect from Social Engineering attacks

The hardest thing about protection from social engineering attacks is that they exploit natural vulnerabilities of the human brain. Many emotional reactions are wired in a human brain to run automatically, so an experienced social engineer manages these reactions – and, as a result, people's behavior. It looks like he has a remote control in his hands and just pushes the neuro-buttons until a victim becomes compliant and commits malicious self-destroying actions. Some specialists called it “criminal hypnosis”.

Is it possible to take this, seeming absolute, power from attackers’ hands?

It’s pretty obvious that you can't set a firewall in your employees’ minds. But you can educate them to detect social engineering attacks and resist effectively. How exactly?

In DIESEC, we have elaborated on a special program that allows teaching your employees in the fastest and most efficient way. To be more precise, it includes three stages. The first one builds awareness about social engineering attacks. The second stage creates the ability to define special markers of a social engineering attack. The third stage is about what actions an employee should do after discovering signs of a social engineering attack.

As a result, after our training your employees will turn from helpless victims into a well-prepared team able to successfully fight back most of the social engineering attacks and save your company assets.


Get in touch with us