Organizations are under cyber threat from threat actors including cyber criminals, hacktivists and nation state agents. While all organizations should have strong defences that help prevent cyber attacks, threat actors have tactics, techniques and procedures designed to evade these defences. A primary method of attack uses social engineering.
What is social engineering?
Social engineering is the use of deception to exploit human nature, our habits and our trust in order to gain information or access information systems. Threat actors attempt to drive desired behaviour through fear including fear of missing out, intimidation, coercion, urgency, opportunity or even befriending the user.
Information sought by threat actors can include:
- Confidential information, such as passwords and login credentials
- Personal information, such as bank information
Social engineering attacks are successful because they exploit human nature while skirting typical cyber security defences.
These attacks are particularly insidious because they are stealthy and are often well established before becoming apparent.
Threat actors do their homework. They target people who are less likely to check before taking the requested action. In other words, they target people who are easier to manipulate.
Are you an easy target? If you receive an email from a leader in your organization asking you to complete a task quickly, would you take the time to scan the message for signs of a social engineering attack? And would you feel comfortable following up to confirm the authenticity of the request before taking any other action?
The threat actor is looking to collect enough information to infiltrate an organization's network or your financial accounts.
To be successful, the cyber threat actor merely needs to get the individual to do what is requested of them. Unfortunately, because these attacks rely on our curiosity, insecurity or trust to gain access, they tend to be very successful.
Knowing how threat actors can use you to gain access to information and systems is critical.
Tactics and techniques used in social engineering attacks include:
- Pre-texting - Crafting a scenario, or pretext, to increase the likelihood that the target will engage in the desired behaviour
- Phishing - Simulating a legitimate email communication that lures individuals into providing information, with email as the attack vector
- Smishing - A form of phishing, with SMS/text messaging as the attack vector
- Vishing - A form of phishing, using voice phone calls as the attack vector
- Spear-phishing or targeted phishing - Specifically targeting a useful or high-value individual with a phishing attack
- Water-holing - Gathering information about regularly visited websites and finding vulnerabilities within these websites that can be used to launch malware against individuals who visit, thereby providing a pathway into organizational systems
- Baiting - Using media storage devices that contain malware to infect systems, such as leaving malicious USB thumb drives near the target organization’s office