Social engineering is a simple yet very effective form of industrial espionage. The attackers steal important company data or exploit human error to introduce viruses to a system.
Social engineering oftentimes begins with the research of a target person and of a respective company. The attackers gather information on the employee, who they wish to target, by scouring social media such as Facebook, Twitter, Xing or LinkedIn for publically available information. At the same time, they gather information on the company website and through online directories. Sometimes the attackers will even contact the company and seek to inform themselves directly via email or telephone – for example by masquerading as a head-hunter, interested journalist or prospect customer. The attackers ultimately use the collected background information about internal structures, employees and supervisors to create an effective deception.
Attack over the phone, via email or personally on site
Often the attackers will collect information via telephone. They might impersonate an internal IT administrator and inform about an alleged security breach, which must be fixed immediately. The rhetorical skill and the confidence-building background information collected earlier help the attacker to achieve his or her goal. The overwhelmed victim is likely to give up personal data such as passwords and thus inadvertently enable an attack of the internal systems.
Sometimes attackers will go as far as to infiltrate a company or bribe existing employees. Attackers may watch their victims when they enter passwords or eavesdrop on internal talks. In other cases, the attackers hack employees’ email accounts in order to send mails from these accounts asking for personal information of other employees. Phishing is also counted as a social engineering attack because the end goal is to steal personal data through the use of emails or malicious links.
How to protect yourself and your company
The above mentioned examples show why social engineering attacks belong to the most successful methods of infiltrating a foreign system: the attackers target human weaknesses and seek to manipulate their victims. These 7 tips help to better protect yourself and your company against attacks:
1. Regularly educate your employees about the risks and ways of social engineering attacks.
2. Do not publish personal information on social media.
3. Enforce the use of a password manager in your company.
4. Never enter your password in the presence of a third party.
5. Ask your manager for confirmation before you pass on personal information.
6. Inform yourself about your internal security operations.
7. Do not discuss internal company information in public.