You receive an email reminding you that an invoice is overdue from somebody you don’t know, or an email address you don’t recognize. “Just click on this link to see the invoice and easily make a payment…..”
You get a phone call from a vendor requesting your address, password and/or other noteworthy credentials to clear up an issue with the service they have been providing for you….
These are the hallmarks of a Social Engineering attack.
Social engineering is a broad term, but can be simply defined as: the practice of obtaining confidential or sensitive information by manipulation of legitimate users. Also termed “Human Hacking.”
In his whitepaper, Social Engineering: A Means to Violate a Computer System, Malcolm Allen writes, “’Social Engineering’ is a threat, often overlooked but regularly exploited; to take advantage of what has long been considered the ‘weakest link’ in the security change of an organization –the ‘human factor.’” It is important to understand that, in addition to the technological aspects of influencing a person, social engineering attacks are, in essence, a psychological trick.
All social engineering attacks are unique and range from telephone scams to phishing emails. The goals of a malicious social engineer can be compared to those of any criminal activity: money, knowledge, power, control, etc. In order for organizations to protect against social engineering scams, they must be introspective and brainstorm reasons someone might want to target them. Based on their research, they should then take preventative measures, such as implementing mandatory security awareness training for employees. The first line of defense against these attacks are user awareness and education surrounding information security.
We will be talking about Social Engineering in our next few blogs as the number of incidences are currently on the rise.