Social engineering is the art of accessing information, physical places, systems, data, property or money by using psychological methods, rather than technical methods or brute force. In order to do so, social engineering relies upon a set of tactics that exploit psychological weaknesses and blind spots in order to convince victims to give social engineers what they want.
That’s what can be so dangerous about social engineering—criminals can use psychological blind spots to have employees willingly give unauthorized parties access, information or property. These attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign, a plausible-sounding phone call from a criminal posing as a vendor, or even an on-site visit from a “fire inspector” who demands access to the company’s server room. Other social engineering examples could include urgently asking for your help, asking you to donate to a charitable fundraiser, notifying you that you are a “winner,” or posing as a boss or coworker.
Social engineers leverage the following psychological weaknesses in order to get what they want:
- Fear – Social engineers exploit the general dislike for conflict and confrontation by exuding confidence when they ask for information or physical access that they have no right to. When social engineers display confidence, most people prefer to comply with requests rather than challenge them.
- Getting a deal – By relying upon the greed of their victims, these criminals have often been known to use gifts or giveaways to get victims to let down their guard. Sometimes, the giveaway itself will be used to masquerade a piece of malicious code that the unsuspecting victim then uploads to his or her computer.
- Sympathy – Social engineers may also use their charisma and humor to gain sympathy with an individual or group. By establishing rapport, victims are too distracted to realize that they’re being scammed.
- Need for closure – Social engineers exploit the well documented psychological need for closure by ensuring they have an answer to any challenge or question likely to come their way. In most cases, any answer, even if it’s blatantly untrue, offers people psychological closure, giving them the sense that they’ve done their due diligence.
Social Engineering Statistics
- 98% of cyber-attacks rely on social engineering.
- Forbes estimated $6 trillion in damages as a result of cyber-attacks by 2021.
- Half of all cyber-attacks are targeted at small businesses.
- 43% of IT professionals said they have been targeted by social engineering schemes in the last year.
- New employees are the most susceptible to socially engineered attacks, with 60% recent hires being cited at high risk
Preventing Social Engineering Attacks
Given that 95% of data breaches are due to human error, it’s no surprise that employee education is essential to minimizing the risk of social engineering. Even the best security systems and control measures will fail if employees willingly allow unauthorized use of their workstations or email their system credentials to a criminal. In order to make your organization’s educational efforts stick, consider employing the following strategies:
- Interactive Training – Consider specific social engineering training that encourages questions and incorporates interactive examples that relate directly to your employees’ work activities.
- Processes & Procedures – Use a consistent set of standards and controls to limit or eliminate the amount of sensitive information that is made available to employees, customers or general public.
- Password Security & Management – Ensure that employees’ user credentials and passwords are stored in a secure manner. Set parameters for password creation and expiration.
- Test – Conduct regular tests to gauge efficacy of training and procedures.