Social engineering manipulates people into revealing confidential information or compromising security through psychological tactics.
Cybercriminals meticulously gather information on their targets through websites, social media, public records, and through conversations or inquiries to build credibility. They might adopt the persona of a new employee, repair person, or researcher and provide credentials to validate their identity. This preparatory work lays the groundwork for a stealthy assault on a company's defenses. Social engineering attacks take various forms and can occur wherever human interaction happens. Review the following types and an example below using social engineering and impersonation.
Here are some common forms of social engineering:
- Phishing Attacks: This involves sending fraudulent emails or messages that appear to be from legitimate sources, like banks or tech companies, to trick individuals into providing sensitive information such as passwords or credit card numbers.
- Pretexting: The attacker creates a fabricated scenario or pretends to be someone with a legitimate need for information. For example, they might pose as an IT support person to gain access to a company's network.
- Baiting: This technique involves offering something enticing to lure individuals into a trap. For instance, an attacker might leave a USB drive in a public place, hoping someone will plug it into their computer and unknowingly install malware.
- Tailgating: In this physical security breach, an attacker follows an authorized person into a restricted area, often by pretending to be someone who forgot their access card.
- Impersonation: This involves the attacker pretending to be someone else, such as a company executive or authority figure, to gain access to confidential information or systems.
Actions to Take:
- Verify Requests: Always confirm unusual requests through a trusted, separate channel.
- Stay Alert: Watch for unusual communication patterns or out-of-character requests.
- Report: If you suspect an impersonation attempt, it is important to take action immediately. Change your passwords, monitor your accounts, and report any suspicious activity to your financial institution, police, Federal Trade Commission (FTC), and the Internet Crime Compliant Center (IC3).
Social engineering exploits human psychology and trust, making it a potent tool for attackers. Training and awareness are crucial for defending against these kinds of attacks.
Here is an example of a sophisticated social engineering and impersonation attempt via WhatsApp.