Social engineering is a psychological manipulation technique that exploits human error to gain private information, access, or valuables. Instead of trying to find a software vulnerability, a social engineer might pose as a new employee, repair person, or researcher to trick an individual into revealing their password or other sensitive information.
Examples of Social Engineering
A social engineering attack begins with a cybercriminal determining what they want to gain from an individual or company and then getting to know the person or organization before making the attack. Attackers analyze their target’s behavior and like and dislikes to determine which methods of attack will yield the best results. Some common examples of social engineering include:
A social engineer might call the company, imitating a computer technician or fellow employee, to pull information out of a user. This type of social engineering attack is also known as vishing.
Trips to the office
A social engineer asks to be let in the office because he or she has a delivery — or because he or she claims to have forgotten their access badge. These social engineering techniques are also referred to as tailgating or piggybacking.
A social engineer can create fake social media profiles on sites such as LinkedIn to collect information from people they connect with for later use. By learning more about their targets, a criminal can send a fake job inquiry or convincing emails asking for money that contains bad or spammy links.
Well-Known Social Engineering Attacks
Even the most elite security defenses can be compromised by social engineering attacks. It’s important to know what’s already been done to effectively protect against social engineering. Here are three real cases of social engineering that have been successful for scammers in the past few decades.
Kevin Mitnick: Kevin Mitnick was one of the most notorious cyber hackers of the 80s and 90s computer age. At just 16 years old in 1979, he called the system manager at Digital Equipment Corporation (DEC) and claimed to be Anton Chernoff, one of the company’s top developers. He said he was having trouble logging in and was immediately given high-level access to the system.
Nigerian Prices: Emails from “Nigerian princes” asking for help getting large sums of money out of the country are a staple in social engineering. In 2007, the treasurer of a sparsely populated Michigan county stole up to $1.2 million in public money as part of a Nigerian advance fee fraud.
Ubiquiti Networks: In 2015, Ubiquiti Networks, a manufacturer of networking technology, lost nearly $40 million after a phishing attack. An employee email account was compromised in Hong Kong, which hackers then used to request fraudulent payments from the accounting department.
Social Engineering Trends in 2021
Social engineering has become a standard element of larger cyber attacks. Many of these techniques, be it phishing or the use of deepfakes, are being delivered in combination as-a-service, with service level agreements and support.
Most social engineering attacks today leverage exposed APIs since breaching an API is much easier than penetrating an enterprise network and moving laterally to take over most or all key assets in it. With more and more business data moving to APIs, this trend will likely continue over the next couple of years.
There has also been a recent rise in “missed messaging,” which involves spoofing the account of a senior manager. The attacker sends a junior colleague an email requesting that they send over a piece of completed work, such as a report. The attacker mentions that the report was first requested in a previous fictional email, generating urgency to respond, particularly in a remote work environment.
How to Prevent Social Engineering Attacks
Social engineering awareness is the number one way to prevent these attacks from occurring to you or your company. Follow these five tips to defend your organization against social engineering:
- Train employees on security awareness.
- Provide a detailed briefing on the latest techniques to key staff.
- Review existing processes, procedures, and separation of duties for financial transfers and other important transactions.
- Consider new policies related to out-of-band transactions and urgent executive requests.
- Review, refine, and test your incident management and phishing reporting systems.
Prevent Social Engineering with Mindcore
Our cyber security services in New Jersey and Florida provide companies with maximum protection against social engineering attacks. At Mindcore, our team of cyber security specialists will work with you to develop a customized plan of action based on your specific needs. Contact us for more information or to schedule a consultation today.