Do you know what the weakest link is in IT security? The human being. As encryption, passwords and networks become harder to penetrate, cybercriminals have turned their attention to those who interact with these systems.
Webroot, makers of the popular anti-virus software, describes social engineering: “[It] is the art of manipulating people so they give up confidential information.”
The idea behind it is instead of trying to compromise the system itself, why not just trick the user into sharing whatever is required – willingly. Social engineering works by taking advantage of peoples’ inherent response to the trust and act on impulse.
Social engineers are usually excellent impersonators and adept at creating situations that trick the employee into divulging sensitive information. As our IT support team in Oakville puts it: they are making you “act first, think later”.
It is much easier to make somebody give away their password than hack it.
Types of socially engineered attacks
There are many classifications of socially engineered attacks, but the premise remains the same. Some of the more common ones are:
Baiting – Enticing the target with an incentive to take a certain action
Phishing – Using email, text messaging or social media to gather confidential information
Email hacking – Take control of email accounts and sending spam emails to contact lists
Pretexting – Using a ploy or scheme to gain someone’s attention and gather something of value
Quid pro quo – Manipulating people with the idea of a fair exchange
Vishing – Building trust over a phone call to incite the target to transfer funds or information
Example of a socially engineered attack
An instance of a socially engineered attack comes from the case of a popular furniture chain, The Brick. An employee of the company was contacted by someone claiming to be an accounts manager from Toshiba, a supplier. Over the course of a few phone calls, the impersonator was able to convince the employee at The Brick that Toshiba had changed banks and payments should be sent to a new account. The employee changed the information; the account was never verified, and payment was made. The fraud was discovered when sometime later someone from Toshiba contacted The Brick about late payment. Talk to an IT consulting services provider to prevent this happening at your company.
Protecting Employees from Socially Engineered Attacks with Security Awareness Training
Since social engineering is a predominantly ‘human attack’, the solution also lies in security awareness training. It teaches employees to recognize manipulation, be mindful of security threats, and adhere to security best practices. During COVID-19, remote training sessions can be extremely helpful for employees. Regular training by an IT consulting services team teaches them to:
- Take their time to understand the situation
- Consider the source of the request
- Follow security/verification protocol
- Not rely solely on technology to keep them safe
IT Support in Oakville
Our team provides modern and relevant IT professional services that help businesses keep their employees safe. Especially during lockdowns, our IT support in Oakville has helped people prepare for new security challenges. Speak to a NUMENTIS representative to find out how our IT professional services team can better prepare your staff against socially engineered attacks.