What is Social Engineering and How Does it Work?

Posted on by

Social engineering is still one of the most common means of cyber-attack, primarily because it is highly efficient. To criminals, the user is the weakest link in the security chain. Social engineering is one of the biggest problem in IT security today. It’s so effective because it targets at the human level as opposed to the technical level. While you can patch up technical vulnerabilities, it’s way harder to address vulnerabilities caused by human error. An education process is vital for end users to understand the dangers of social engineering and to avoid falling for such scams.

Types of social engineering attacks:

  1. Phishing
    Phishing is the most common type of social engineering. The attacker recreates the website or support portal of a renowned company and sends the link to targets via emails or social media platforms. The victim, completely unknown of the real attacker, ends up compromising personal information and even credit card details.
  2. Spear Phishing
    Spear phishing can be assumed as a subset of Phishing. Although, similar attack, it requires an extra effort from the side of the attackers. They need to pay attention to the degree of uniqueness for the limited number of users they target. And the hard work pays off, the chances of users falling for the false emails are considerably greater in the case of spear phishing.
  3. Vishing
    Social engineers can be anywhere on the internet. But many prefer the old fashioned way; they use the phone. This type of social engineering is known as vishing. They recreate the IVR (Interactive voice response) system of a company. They attach it to a toll-free number and trick people into calling the number and entering their details. Most people don’t think twice before entering confidential info on IVR system.

Who is likely to be targeted?

The people with the most information and least security training possible. This usually falls under the category of the CEO, probably the most vulnerable to social engineering attacks. Attackers know to stay away from the people who may be better informed of their schemes, even if that means going in a more roundabout way, like learning about the target and appealing to emotion.

  • 48% of enterprises have been victims of social engineering attacks, 25 in the past 2 years costing about $19,580 each time.
  • 75% success rate with social engineering phone calls to businesses.
  • 86% of IT and security professionals are aware of the risks of social engineering.

How do you avoid being a victim?

Here are some ways to avoid yourself of become a social engineering victim.

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.

Image source from Veracode

 

Best regards,

KASUR TEAM
2001586205     Andriana Pratama Putra
2001622614     Veber Sormin