Protecting your organisation from social engineering attacks
When most people think of hackers, their minds immediately turn to the hoodie sporting loner, firing off high tech exploits to bring multinationals to their knees. But often, the most simple and effective tool in the arsenal of any hacker is that of social engineering. Verizon's yearly data breach investigations report concluded that 85% of data breaches involved a human element.
In today’s blog, we will discuss the concept of social engineering, how it can harm your organisation, and how you can best spot social engineering attacks to protect your organisation.
What is social engineering?
Social engineering, as the name suggests, is the process of attacking an organisation by manipulating its people. There are a number of commonly used techniques within social engineering, including:
Phishing is the act of enticing someone to perform some kind of action or divulge some confidential information through the format of a message; an email, a text message, an instant message. This is far and away the most common type of phishing attack.
The objective here is the same as phishing, but the medium is different; vishing is carried out via voice - a phone call, a voicemail, a video call, etc. Through these mediums, the attacker attempts to psychologically manipulate the victim into divulging some sensitive information or performing some malicious action.
Spear phishing is a more targeted approach to phishing, usually involving targeted phishing of high value individuals.
Spotting Social Engineering
There are a number of steps one can take to help tackle social engineering attacks.
Call to action
Attackers will often include some element of urgency in order to get the user to comply with their requests. Common examples include threatening the user with legal action, requesting an important document or providing a receipt or delivery docket for something that the user has not purchased. While these are common in non-malicious emails and phone calls, users should be conscious of emails that appear overly pushy or eager to get a user to click on a link or send personal data.
Speaking of links, one of the easiest ways to identify a phishing email is to determine if the link they have sent the user is valid. This can be accomplished by holding your mouse over the URL, and not clicking it. This will display the destination of the URL in the bottom left corner of the screen. There are some immediate red flags to watch out for:
- Misspellings of common URLs - goodle, faceboook, anazon.co.uk
- URL shorteners - Bitly, TinyURL, etc. These will shorten long web addresses into something more digestible - for example, malicioussite.com can become www.bit.ly/free-stuff
Suspicious Attachments Attackers will often send out emails containing files that execute malicious code when they are downloaded and opened. These will commonly take the form of business documents, invoices, delivery notices and more. We recommend that users are extremely wary when opening files from unknown sources.
How can we help?
One of the best ways to teach your staff is through experience - here at Secora we offer tailored simulated phishing exercises to determine how effectively your organisation can identify incoming phishing attacks. If you’re interested in this - or any of our other bespoke cyber security assessments, contact us to find out more.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.