Marshall, a Mississippi native, is a dedicated expert in IT and cybersecurity with over a decade of experience. Along Techopedia, his bylines can be found…
Natalie is an editor specializing in educational content, with a deep passion for technology and cryptocurrency. Her expertise lies in transforming complex tech and crypto…
Human beings are predisposed to want to help others. It is in our nature. If you’re a receptionist or work at a help desk, it might even be part of your job description.
Even so, beware of social engineering. What is social engineering? It’s the subtle manipulation of staff in order to gain illegal access to your building, systems, and data.
Social engineering is hacking. But it’s not hacking into your network by exploiting a technical vulnerability. Social engineering is hacking your staff, the organic layer of your defenses.
Most of us share similar characteristics. Nobody likes having problems at work, and we feel sorry for those who do. We are inclined to help people who are wrestling with problems, even if it means we bend the rules slightly or break protocol for a moment.
We’re even more likely to do this if we like or empathize with the person who has the issue. We’re also conditioned to obey authority figures. We want to be seen as capable of helping and willing to pitch in.
Skilled threat actors can exploit all of these traits and coerce people into doing what they want. It’s exploiting human psychology to steer the unwary into performing some action that benefits the perpetrator.
Social engineering attacks might happen in a single phone call, or they may be played out over a period of time, slowly winning trust and acceptance.
Their objective is to get through your security measures or to go around them.
Social engineering has been around as long as confidence tricksters have existed. There are techniques that work, so it was inevitable that they’d be picked up and used by the cyber threat actors.
They work on people’s admirable qualities, like their kindness and desire to assist, or their poorer qualities, like greed and fear.
The threat actor might want to:
In contrast with many cyber attacks, social engineering attacks are specifically targeted at their victims. This is in contrast to the “spray and pray” type of attacks, such as phishing attacks or port scanning.
Social engineering attacks can involve phone conversations, email, or attending your premises in person. Quite often, a blend of these techniques is used to suit the needs of the attack.
Threat actors will do intelligence gathering on the target within the company. They monitor X (previously Twitter) and LinkedIn and look for information that gives them an edge. Social media is a two-edged sword. What you broadcast to the world can easily be turned against you.
The simplest attacks are often the best, and technical support is a common target. Their job is to solve problems. Their working day is devoted to trying to satisfy the caller’s needs and to make problems disappear.
Masquerading as tech support and ringing other staff members is a favorite too. There are many variations of this scam.
These are examples of successful social engineering attacks that are happening today.
Gaining physical access to your premises allows the threat actor the opportunity to perform a variety of actions that further compromise your security.
Firewalls usually let traffic out of a network much easier than traffic can get in. Firewalls are border guards, and most of their attention is focused on what comes in over the border. Traffic going out is often a secondary concern.
These covert devices can be hidden inside old laptop power supplies or other innocuous devices and quickly plugged in behind equipment such as large printers.
Printers need mains power and a network point. Network points are usually provisioned in pairs, as are power points. The printer only needs one of each. Behind the printer are the connections the device needs and a nice hiding place.
The threat actor may simply pick up a laptop and walk out. They may infect the network with malware from a USB memory stick.
A similar approach is for the threat actor to collect some promotional literature from a genuine business such as a courier firm.
To get past reception, threat actors have posed as all manner of delivery persons. UPS, United States Postal Servants, flower deliveries, motorcycle couriers, pizza deliveries, and donut deliveries, to name a few. They have posed as pest control agents, construction workers, and elevator servicing engineers.
We’re dealing with people, so, needless to say, the defenses revolve around training, policies, and procedures.
Fostering a security-minded culture in your business will pay dividends and is the foundation of a multi-layered security approach.
Techopedia’s editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
Marshall, a Mississippi native, is a dedicated expert in IT and cybersecurity with over a decade of experience. Along Techopedia, his bylines can be found on Business Insider, PCWorld, VGKAMI, How-To Geek, and Zapier. His articles have reached a massive readership of over 100 million people. Marshall previously served as the Chief Marketing Officer (CMO) and technical staff writer at StorageReview, providing comprehensive news coverage and detailed product reviews on storage arrays, hard drives, SSDs, and more. He also developed sales strategies based on regional and global market research to identify and create new project initiatives. Currently, Marshall resides in…
What is Differential Privacy? Differential privacy is a mathematical framework for determining a quantifiable and adjustable level of privacy protection....
Margaret RouseTechnology Expert
What are Tactics, Techniques, and Procedures (TTPs)? Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an...
What is a Security Posture? Security posture definition refers to the ability an organization has to protect its information technology...
Trending NewsLatest GuidesReviewsTerm of the Day