Social engineering is a method to gain knowledge of security-related data by exploiting human components. Depending on the authority level of the deceived person, social engineering causes considerable damage.
The course of a fraud attempt through social engineering always turns out to be identical in essence: Various methods are used to try to gain the trust of a particular person so that they will divulge important data (login names and passwords are a key example). Occasionally, this also involves simply eavesdropping on the target person.
Social engineering does not always involve methods via the Internet. Phone calls demanding urgent action on a fictitious network problem are conceivable, for example, so that the person called reveals login data. Authority-related fraud is also a means: a contacted person is told that instruction comes “from the boss” or other employees in a higher position – in this case, for example, the instruction to transmit important data.
Social engineering in the 21st century
Many exploits today are based on activities carried out over the Internet. Fraudsters collect data about a target through means such as Facebook. Then, that fraudster impersonates the target’s trusted person in an email. Spoofing email addresses is an effective way to disguise them.
Contents of this email might aim to trick the target person into downloading an attachment or clicking on a certain link. Trojans, worms, keyloggers, or similar tools are waiting inside to cause damage or obtain important data (which is serious damage in itself).
Additionally, social engineering is used by unsophisticated individuals who are unaware of the implications of the data entrusted to them. They share important data more easily, store passwords in plain text in highly visible files on the desktop, and the like.
Due to the rapidly evolving technology, which constantly brings out new software and devices, it is difficult for most people who are not familiar with IT to properly assess these risks. For this reason, they are an excellent target for social engineering.
In 2016, 98 percent of organizations worldwide reported that malware was the biggest contributor to internal damage. However, right behind that was social engineering, which 70 percent of companies fell victim to (and malware infection can also be a result of social engineering).
This figure moves ahead of attack methods such as the execution of malicious code on prepared websites, web-based attacks, or the threat posed by extensive botnets or DDoS attacks.
Since the biggest weakness in this type of attack is the human, security software alone cannot be a solution. Even the best software will not fend off an attacker who logs incorrectly through the usual channels with a valid login and password. It is therefore important to make company employees aware of the dangers of social engineering.
Internal seminars and courses help to educate people with access to important data. These resources are also responsible for creating awareness of what should happen if a person assumes they are the target of a social engineering attack.
Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.