Social engineering is the use of deception to exploit human nature, our
habits and our trust to gain information or access information systems.
Threat actors attempt to drive desired behaviour through fear including fear
of missing out, intimidation, coercion, urgency, opportunity or even
befriending the user.
Information sought by threat actors for fraudulent purposes can include:
Confidential information, such as passwords and login credentials
Personal information, such as bank information
How is it successful?
Social engineering attacks are successful because they exploit human nature
while skirting typical cyber security defences.
These attacks are particularly insidious because they are stealthy and are
often well established before becoming apparent.
Threat actors do their homework. They target people who are less likely to
check before taking the requested action. In other words, they target people
who are easier to manipulate.
Are you an easy target? If you receive an email from a leader in your
organization asking you to complete a task quickly, would you take the time
to scan the message for signs of a social engineering attack? And would you
feel comfortable following up to confirm the authenticity of the request
before taking any other action?
The threat actor is looking to collect enough information to infiltrate an
organization's network or your financial accounts.
To be successful, the cyber threat actor merely needs to get the individual
to do what is requested of them. Unfortunately, because these attacks rely
on our curiosity, insecurity or trust to gain access, they tend to be very
successful.
Social engineering tactics
Knowing how threat actors can use you to gain access to information and
systems is critical.
Tactics and techniques used in social engineering attacks include:
Pre-texting – Crafting a scenario, or pretext, to
increase the likelihood that the target will engage in the desired
behaviour.
Phishing – Simulating a legitimate email communication
that lures individuals into providing information, with email as the
attack vector.
Smishing – A form of phishing, with
SMS/text messaging as the
attack vector.
Vishing– A form of phishing, using voice phone calls as
the attack vector.
Spear-phishing or targeted phishing – Specifically
targeting a useful or high-value individual with a phishing attack.
Water holing – Gathering information about regularly
visited websites and finding vulnerabilities within these websites that
can be used to launch malware against individuals who visit, thereby
providing a pathway into organizational systems.
Baiting – Using media storage devices that contain
malware that can infect the systems of users, such as leaving malicious
USB thumb drives near the
target organization’s office.
