Social engineering is now the third most common form of business fraud in the UK.
This cybercrime tactic is becoming more popular because in many cases it is easier to manipulate human behaviour than it is to hack into a system. You don't have to be a sophisticated hacker to be able to get someone to click on a link they shouldn't click.There are also many types of social engineering attacks they can be used against a business.
Cybercriminals are using social engineering into tricking your staff into giving them access to something they shouldn't. And it is working.
A report by the National Crime Agency shows that CEO fraud, just one form of social engineering, cost UK business £32 million in 2018. It is a costly problem for no matter the size of your business.
Computer Weekly reported that more than 1 in 10 employees are falling for social engineering attacks. In the last year, we have spoken to multiple businesses that have been victim to a social engineering attack. In one case it only took one email to cost a business £15,000.
There is no doubt that social engineering is a significant threat to a business. To be able to defend your business against it you need to be able to spot social engineering. This article will show you the most common types of social engineering attacks and how they work.
Phishing is the most common and well-known form of social engineering. The majority of phishing is done via email. The attacker tries to trick the email recipient into clicking a malicious link.
Usually, this involves creating an email address that mimics that of a well-known brand. If the hacker has put in a lot of effort, they might even know the kind of businesses likely to email your company and pretend to be one of them.
The email aims to get you to click a link or open an attachment. The attacker is either looking to trick you into giving away sensitive information or in the case of an attachment to infect a computer and thus a network, with a virus or form of ransomware.
For more information check out our guide on how to spot phishing emails.
Spear phishing is a more targeted form of phishing. As you may have guessed by the name, spear phishing focuses on a particular organisation or even just one specific employee.
Many forms of CEO fraud are spear phishing because it will often target just the employee responsible for finance at a business.
This form takes a lot of research to be successful, but the added detail will make it more likely to succeed. A hacker might employ many types of social engineering to gather the information they need to create an effective spear phishing attack.
Whaling is another targeted form of phishing that focuses on higher management of private companies or government agencies. The technique is the same as spear phishing, it's just the target that is bigger.
Most phishing is done over email, but there is phishing done the old fashioned way, on the telephone. This is known as vishing. It was very popular during the rise in telephone banking.
They create a phone number and then trick people into calling the number by pretending to be a bank or another business. Once on the phone, they will ask for sensitive information, typically your bank details.
This form of social engineering is reliant on forming a false sense of trust with the intended victim. The attacker creates a scenario or pretext to trick their victim into giving them information. It can also be used to gain direct access to a system.
Pretexting is all about coming up with situations that cause us to lower our guard. How believable or innocuous the scenario will affect the success of the attack.
Pretexting can be done over the phone or in person.
More advanced forms of pretexting can be so effective that the attacker manipulates the victim into doing everything for them, so they don't even get their hands dirty!
For example, by phoning up a business and pretending to be from an IT company a cybercriminal can ask questions that give them all the information they need to get into a system. Or they can have the victim do it over the phone for them.
Baiting and quid pro quo
Baiting is designed to exploit a person's curiosity. It can often be as simple as leaving a memory stick lying around on the floor. There are numerous instances where a person has picked up a memory stick of the floor and put it in the computer, curious to see what is on it.
The memory stick will have a virus on it, and as soon as it is plugged into the computer, the virus infects not just the computer but any network that it is connected to. One business can be taken down by only one curious employee plugging in a memory stick they found laying around.
Quid pro quo means a favour or advantage granted in return for something. This form of social engineering involves offering a benefit or a service in exchange for information.
Prize draws are a good form of quid pro quo, but they can be limited in the amount of information the hacker can gather. A really effective form of quid pro quo is pretending to be a service that a business uses. This can gain them access to a building or allow them to trick the victim into giving them information over the phone or email.
Tailgating is sometimes referred to as piggybacking. It involves the attacker trying to gain access to a restricted area. It is called tailgating because it is often as simple as walking in behind a person who is authorised to be in that area.
Sometimes they will even have the door held open for them. Think about how many times you have held the door open for someone at your building. It's so ingrained into human nature is often done without thinking.
Tailgating is often performed by the attacker pretending to be a delivery driver or a facility manager.
How to protect your business from social engineering
Training your staff is the best thing a company can do to prevent social engineering. Because it is designed to take advantage of human nature, your staff will be the targets.
There is plenty of training option available to you. Knowb4 is an excellent option for training your staff and also testing how they react to social engineering attacks. If you use an IT provider, you should also speak to them to see what help they can offer.
For more information on specific actions, you can take see our definitive guide on social engineering.
Social engineering is costing UK businesses £1,000,000's every year. Its a form of cybercrime that is designed to work around a businesses cybersecurity defences. But that doesn't mean there is nothing you can do to stop it.
Understanding social engineering and the different types of social engineering attacks makes it easier for you to spot. But it is vital that your train your whole business on how to detect social engineering.
Don't be afraid to get help because a social engineering attack needs just one wrong click for it to work.