One of the main reasons why a security awareness program needs to exist is to help shed light on common ways organizations get compromised. Amidst a plethora of underground hacking techniques, the common ways social engineers prey on the ignorance of computer users at every level is through illusion and social manipulation.
Social engineering is a type of attack that's based on deceiving users or administrators at a target site. Attackers are successful in making fraudulent claims and transactions by presenting more than the required information to employees in an effort to sound credible. This can happen at a personal level but it mostly happens in places of employment. Employees are an important part of organizational security, hence the reason why attackers target various employees. Social engineering usually involves the following words or techniques:
- It’s an urgent matter
- A forgotten password
- A computer virus or malware emergency
- Any form of intimidation from “higher level management”
- Name dropping to give appearance the request is coming from authorized personnel
- Straight up requesting passwords, serial numbers, brands, models, etc.
- Claims of affiliation through a sub contractor
- Claims of being a journalist or broadcaster
- Inappropriate greetings or seduction from a stranger
Example 1 – Fake IT support calls
A common form of social engineering is someone pretending to be an authorized user or administrator in an attempt to gain illicit access to protected data systems. This is usually done over the phone, but it can be done in person.
The person has enough information to sound credible, and they ask the user for information that allows the hacker to gain access to the desired system.
This is a very common example and users should verify the identity of the person requesting information before any information is released.
Example 2 – Shoulder Surfing
Shoulder surfing is more of an insider form of social engineering. Usually, the person doing the shoulder surfing is an authorized user or employee, but this person stands over the shoulder of the target user to see the user’s password or other sensitive data by watching keystrokes or reading clear text on the computer screen.
Users should take precautions to prevent shoulder surfing by positioning computers and desks in such a way to make the person attempting to shoulder surf stand out.
Awareness and Reporting
If anyone detects a social engineering attempt or the identity of the requester CANNOT be promptly verified, the person MUST immediately contact his/her supervisor or direct manager. If the attempt is a personal social engineering attack or the organization’s security policy mandates it, the call, conversation, email, or online chat with the requester must be terminated immediately. Report the attack through proper channels and maintain awareness.
What are some ways you protect yourself against social engineering?
Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks at US-CERT