By Kevin Barona in Small Business Security — Jul 7, 2023

What is Social Engineering and How Do I Protect Against it?

Almost all cyber-attacks targeting small businesses, individuals, and other organizations rely on social engineering. Threat actors prefer using social engineering since it is hard to defend – it takes advantage of the weakest component in an information system; people.

Social engineering is a process that involves manipulating people to disclose confidential and sensitive information unintentionally.

Besides manipulation, social engineering influences victims to perform actions that enable threat actors to gain access to secure systems, collect information or commit fraud.

Threat actors usually perform social engineering using the following steps;

Identifying the victim and gathering background information.
Engaging, interacting, and establishing a relationship with the victim.
Obtaining the required information and data or executing an attack.
Ending the process without suspicion.

Threat actors may use the following forms of social engineering to achieve their objectives.

Phishing and Spear Phishing

Phishing uses email to get information from a victim. A threat actor pretends to be a trusted source, such as a bank, charity organization, or someone from your workplace. The threat actor then asks you to click a link, which takes you to a spoofed website.

Spear phishing targets a specific individual, usually an employee in an organization. Threat actors may pretend to be senior executives in this scenario.

Phishing encompasses vishing – phishing over the telephone, smishing – phishing using SMS, and angler phishing – phishing through social media (targets disgruntled customers).

Baiting

Baiting exploits the victim’s greed and curiosity. Threat actors lure victims by leaving malware-laden USB drives in the company lobby, elevators, parking, bathroom, or even the front desk.

The USB drives feature the company logo or an enticing label such as ‘Salary appraisals and promotions. If a victim picks up the USB drive and inserts it into a computer, the malware executes and steals information or gives the attacker system access.

Attackers also use online baiting in the form of pop-ups such as ‘you are the lucky winner of an iPhone.’ The pop-up contains a link to a malicious website that coerces the victim to download an infected app or take an online survey that harvests personal information.

Pretexting

In this technique, an attacker relies on the gathered background information and creates a scenario (scam) that may make the victim provide confidential information.

Other pretexts may influence the victims to perform various actions on their computers or smartphones that compromise their security.

Attackers usually impersonate trusted sources. Most pretend to be IT helpdesk, customer support from banks, co-workers, and even the police.

Scareware

Scareware uses fear to trick victims into installing malicious software that attackers can use to steal information, gain system access, or propagate further attacks.

Attackers distribute scareware through spam mails or pop-up banners with false alarms and security alerts such as ‘Warning, your computer may be infected.’

Tailgating

In tailgating, threat actors gain access to restricted or access-controlled areas by closely following or familiarizing themselves with authorized individuals.

For instance, an unsuspicious employee may think the person closely following them is a co-worker and hold the door. Usually, the attacker wears a fake company lanyard to avoid raising suspicion.

A threat actor may use tailgating to carry out other social engineering attacks or use the opportunity to gain access to systems, gather information, or spread malware.

Enterprises, small businesses, and individuals can reduce and prevent social engineering security risks by using measures such as;

Organizations should conduct security awareness training and education regularly. Employees should be aware of social engineering, its dangers, and various infosec mitigation strategies. Cybersecurity personnel should perform unplanned drills and tests that ensure employees are well versed in tackling social engineering.

Reduce online digital footprint

Avoid oversharing personal and sensitive information on social media and other online platforms. Update the security and privacy settings of various platforms that have your information. You can set privacy to my contacts or friends only.

Additionally, regarding social media, don’t accept friend requests you don’t know. On networking platforms, set a profile that doesn’t reveal too much about yourself.

Practice safe cybersecurity

These general principles ensure you don’t fall victim, reduce the risk, or prevent social engineering attacks. They include;

Use anti-phishing features in emails and browsers.
Avoid spam emails, links, and attachments from people you don’t know.
Avoid unsecure websites, suspicious unsolicited phone calls, and SMS.
Avoid giving out personal or other sensitive information to entities or individuals you cannot verify their identity.
Use reputable up-to-date anti-malware and anti-virus software.
Use different strong passwords for your accounts.
Enable multi-factor authentication.
Don’t connect to unsecure Wi-Fi networks.
Regularly update your system.
Manage electronic and other digital waste properly.

Conclusion

Social engineering is a dangerous threat and one that is harder to detect or mitigate when executed properly. Businesses and individuals should always be on the lookout and be in the know regarding social engineering. If you suspect or think you are a social engineering victim, change your credentials and report to the relevant personnel and authorities.