From our perspective, both film and television have created misconceptions about cybersecurity in the modern age. Of course, there are brute force attacks, DDoS, hacking, intrusions, and ransomware. However, one of the most prominent problems is social engineering attacks.
We have developed a complete and exclusive article on this topic. Our goal is for you to leave this reading completely informed, taking on a new perspective to identify and eliminate vulnerabilities in your company.
What are social engineering attacks?
Before understanding how these attacks work, it is important to understand the concept overall. In cybersecurity, social engineering is the name used to define a technique of analysis, study, and intervention. Unlike other types of cyberattacks, this approach largely ignores the software and programming, and focuses on studying the targets of the operation- individual users.
Therefore, it is much more an investigative technique than technical or operational. Generally, the individuals behind these attacks look for vulnerabilities, taking advantage of people’s ignorance and naivety about technology and how their data and information can be exposed.
Social engineering is often a step in cybercrime that precedes another, more assertive type of attack, such as the injection of ransomware into a company’s systems.
With social engineering, attackers can study employees by accessing their profiles on social networks, and thus, deduce which of them appear less familiar with the technology, as well as their roles and risk factors.
Consider this. Who is more likely to open a suspicious email: the head of IT or employees in non-technology related positions? When well structured, a simple email with a PDF titled “Financial Statement” can infect every machine in an accounting department, unknowingly opened by a staff member unfamiliar with cyberattacks.
This is why technological literacy is so important for companies, because without investing in cybersecurity, a company can only be as safe as the most inexperienced of its employees. However, social engineering also goes beyond companies, and can be used against individuals as well.
Generally, these criminals study the targets, and learn everything about them through information on the internet. With this information, attackers use blackmail and extortion techniques, and, even if bluffing, can trick their targets into giving them their desired reward.
What are the 7 main types of social engineering attacks?
Currently, there are seven methods that are widely used in social engineering and therefore, are among the main threats to information security. Below, we explain each of the techniques in detail.
1. Vishing
Vishing is a variation of phishing, which is a common attack sent by email. Vishing, on the other hand, occurs verbally, through telephone calls. For Interpol, it is one of the fastest growing forms of social engineering attacks, which has already cost over 1 billion dollars in frauds, scams, and related schemes.
2. Spear Phishing
Sent through emails and messages, this tactic leads targets to fake pages, which look like real ones, to collect information or inject malware into devices. In Brazil, there was a great wave of spear phishing attacks that used fake websites simulating the Caixa Econômica bank interface, in an attempt to attract Emergency Aid beneficiaries.
3. Pretexting
As the name suggests, this tactic is based on creating false, seemingly positive, pretenses to get the victim to pass on confidential information. In Brazil, the tactic has already been widely used in scams that falsely offer awards, prizes, and even inheritances from distant relatives.
4. Sextorsion
Sextorsion is nothing more than extortion based on the leaking of intimate images, which may or may not exist. The practice is growing rapidly in all countries, because it targets fragile points such as notions of self-preservation, privacy, and social reputation.
The technique can even be used to render important company executives vulnerable. Regardless of whether or not attackers actually have these images, they extort the victims, demanding some condition be met, and relying on their targets’ interest in not having these materials shared- at any cost.
5. Quid Pro Quo
Quid pro Quo is an old expression that suggests exchange- give one thing to get another. In cybersecurity, it is the name of a technique that pretends to offer something to the victim, in exchange for something important to the person enacting the scam, such as confidential information. This represents a very high risk for companies.
Knowing the support service used in your company, the imposter sends an email to employees, emulating the communication style of their help desk. If successful, they may gain access to passwords, PINs and other confidential information that completely unlock the system, leaving companies helpless.
6. Tailgating
In traffic, tailgating is the practice of driving too close to the vehicle in front of yours. In social engineering, it is something similar, as it implies taking advantage of this same proximity to access restricted physical environments in a company.
Imagine a building that has access control through RFID. By impersonating a colleague, the attacker can access restricted areas, taking advantage of the kindness of an employee who might leave the door open for them to pass through. Therefore, it is critical to invest in good asset and physical security practices, and enforce them with your staff.
7. Dumpster Diving
The last tactic is known as the dumpster dive. Although unusual, the practice is highly efficient and dangerous, both for companies and for people. The technique consists of going through the paperwork discarded by the target in search of confidential information.
This attack touches on a vulnerable point in data protection for the Brazilian population. Between fast food receipts, online shopping packages, and service invoices, are you aware of how many ways you expose your private information, such as your full name, address, and credit card numbers, on a daily basis? Realizing that you are unknowingly exposing yourself to potential attacks can be scary, but luckily, we have the information to help.
How can you protect yourself from these attacks?
Finally, it is important to highlight how to protect yourself from social engineering attacks. In our view, the preventative mindset is the best way to approach this dilemma. First, investing in cybersecurity, which includes both installing software and implementing training for the team. As we have already highlighted in another article, education is the best way to protect your company’s data.
In addition to investing in original software, modernizing your infrastructure with equipment directly from manufacturers, and training your team with the very best in technological learning; it is also important to adopt some practical tips, which are essential to minimize social engineering attacks:
- To avoid dumpster diving, simply blackout confidential information with a marker, and shred papers. For those who need to do this frequently, it is worth investing in a paper shredder, which can do this in mere seconds.
- To avoid tailgating, it is important to institute a security policy, in which access cannot be granted from one employee to another, only by individual personnel identification.
- To avoid Quid Pro Quo, Spear Phishing, Pretexting, and Vishing, it’s important to use good old skepticism. If you don’t know the person approaching you and see it as an unsolicited initiative, be suspicious. In addition, it is also important to invest in technological literacy of all employees, preventing naivety from allowing anyone to fall for scams.
- To prevent sextorsion, it’s important to secure access to your devices with passwords, PINs, fingerprints, and facial recognition. In addition, it is also important to pay closer attention to the cameras that surround you, on notebooks, tablets, cell phones, and the like. The overwhelming majority of the time, you don’t use these applications, so there’s no reason to leave them uncovered.
Now that you know the main social engineering initiatives, and forms of attacks, take the opportunity to invest in preventing these problems. To do so, visit our page and get in touch!
This article was originally published at: https://stefanini.com/pt-br/insights/artigos/tipos-de-ataques-de-engenharia-social