The term Social Engineering was first coined by Dutch industrialist, J.C. Van Marken, in the year 1894. He believed specialists were needed to attend to human challenges in addition to technical ones. However, that term has taken a whole different meaning in the last few decades. When the term Social Engineering Attacks is brought up, it usually refers to the art of hacking an individual in order to get access to confidential data or information.
This art/crime has been glamourized by Hollywood with the release of the movie Catch Me If You Can. Leonardo Di Caprio skillfully portrays the life of con artist, Frank Abagnale, who during his life pulled off many grand Social Engineering attacks in his lifetime.
Although it might not be as easy as the movie showcases it to be, if pulled off correctly it can be one of the most successful way of hacking an organization. The reason for that is because this method attacks the weakest link in the security system of an organization; humans.
It is important for businesses to educate their employees against such Social Engineering attacks if they want to safeguard their interests. And to do that, people need to understand what Social Engineering is exactly and how such attacks are executed. Although they can be carried out in a variety of ways, let us look at the basic path that is followed.
Researching the target: Before starting the exploit, it is necessary for the hacker to understand his victim. It is important for them to know every aspect of their target’s life. This is because they need their victim to trust them or have confidence in them which they can later use against them. And in this 21st century, the digital footprint left behind by an employee can be very helpful.
Establishing contact with the target: After the hacker has intimate knowledge of his target, it is time to initiate the attack. They initiate contact with the target and use the information they have gathered in order to establish their credentials. The person initiating the contact is sometimes also known as The Confidence Man or The Con Man.
Launching the attack: After grooming the target and gaining their trust, it is time to exploit them. They will try to persuade the target in order to glean the required information from them. Upon successfully getting the credentials they need; hackers can then use this information to attack the organization.
Such attacks have a high success rate due to the fact that the security system thinks it has granted access to a verified individual of the organization, when in fact it has actually been breached.
Also, one of the major issues with Social Engineering is that in can be quite a while before someone picks up that they have been attacked as it can be difficult to pinpoint whether the system has been breached. A business can suffer extreme losses if the attack is carried out for a long duration of time.
Usually, government organizations or multi-national conglomerates are targeted as the yield from these can be extremely in terms of data obtained. A few years back, a 15-year-old was able to successfully get access to the personal email of John Brennan, the director of FBI at that time.
By social engineering a Verizon employee he was able to extract personal details on John Brennan which he then used to get access to his email. Thankfully this hack was discovered quickly before it could’ve had any major repercussions.
Now that we know the implications of such attacks it is important for us to know how to safeguard ourselves against them. Hackers can use various methods, popular ones being; Baiting, Whaling, Quid Pro Quo, Phishing, Tailgating etc. Whatever the method, as an employee you can follow some basic guidelines to ensure that you have maximum protection.
You should never open emails or links sent to you by unknown or suspicious sources. Care should be taken that the credentials you use for your work should never be used outside of your professional life. If a person approaches you claiming to be someone who might be use to you, its always a good idea to verify their credentials instead of just trusting them blindly.
Never use software or applications that have been pirated as there’s a high chance it might contain malware. If you have doubts regarding a particular software behaving weirdly, contact your IT department instead of interacting with it or attempting to fix it. The IT department should also monitor traffic on the network in order to spot weird anomalies. Employees should undergo training on controlling their Personally Identifiable Information or PII online.
An individual study conducted by IBM found that the average cost of a data breach for a company is $3.86M. And that’s just the financial damage, the setback due to reputational damage might just tank the company. Therefore, it’s important for companies to invest in their employee’s digital security.
Workshops or sessions held by experts in such fields should be held on a regular basis in order to keep them updated on various tactics used by hackers. Drills should be conducted in order to keep employees on their toes. A good internal security team is a must in order to mitigate any attack if the company is ever attacked.
Society will always have some malicious elements whose sole aim is to disrupt the peaceful proceedings. It is up to us to keep them in check and protect ourselves from their malicious intentions. Falling prey to Social Engineering attacks not only affects the organization but might also affect the personal lives of those involved.
Compliance to company policies should be adhered to as they help reduce the probability of being attacked. People in pivotal roles should pass stringent checks in order to ensure that they are capable of carrying out their duties without posing as threats for the organization. Simulations should be carried out for phishing links so as employees are able to identify such malicious links and take appropriate action against them.
We hope that we were able to provide some insights onto Social Engineering attacks. Using this knowledge you can now take appropriate steps to help shield yourself from such exploits.