That firewall won’t be helpful if employees are tricked into clicking on a malicious link that arrived in their inbox from a seemingly legitimate source. Here’s what you need to know to protect your organization from social engineering.
Social engineering takes advantage of human behaviour in order to pull off a scam. This could be by gaining access to a building by pretending to have left a security badge inside, or through sending an email from a deceptively legitimate source with a virus attached. These are the five main social engineering scams to watch out for.
Phishing is the most common form of social engineering and usually involves spam emails, however, it can also take the form of a chat, web ad or website designed to impersonate an organization. The messages usually have a sense of urgency, fear and manipulation and include short links with redirects to unsafe downloads. For example, a hacker could disguise themselves as a company emailing an invoice. When the attachment is clicked, a virus is unleashed onto the network.
Tailgating is when an unauthorized person follows an employee into a restricted area in the building or virtually through a website. This is done by the hacker asking an unsuspecting employee to hold open a door, claiming they forgot something inside. Tailgating can also occur when a hacker uses a remote access hack or through malware that is present on the computer.
Baiting is when something is given as a gift in exchange for confidential information. If the user takes the bait, a virus is downloaded onto the workstation and private information is collected. Examples of bait could be an offer, such as a free Caribbean cruise or music downloads. It could also be in the form of a flash drive branded “Annual Employee Performance Reviews” that is left in the open for an employee to discover. Using the flash drive on the computer results in the download of malicious content.
Pretexting is defined as the practice of presenting oneself as someone else in order to obtain private information. The individual can create a whole new identity or impersonate someone in a certain job in order to obtain information. For example, the hacker could disguise herself as the CEO of a company asking the employee to fill out a form with confidential information.
Quid Pro Quo
Quid Pro Quo is a form of social engineering similar to baiting; however, the user never receives a free product or service. Confidential information is given up via a malicious request. For example, someone may call an employee claiming to be in the IT department and ask for confidential login information.