Social engineering attacks are cybersecurity incidents that specifically target people instead of hardware or software. Rather than attempting to use brute force to bypass a network’s existing cybersecurity defenses, cybercriminals deploying social engineering strategies attempt to prey on unsuspecting employees—at every level of an organization—to steal log-in credentials access otherwise off-limits areas, and hack valuable files.
These kinds of attacks can take many forms, but all appeal to specific human weaknesses in order to work. They can take place online, such as over email, or in the physical world, such as at a building’s security checkpoint. Some social engineering strategies even involve both worlds. For instance, a bad actor might leave corrupted flash drives in a company parking lot or lying around on office desks in the hope that an authorized employee will pick them up and accidentally download malware to their computer.
Quid pro quo social engineering attacks rely on exchanging a good or service for information that a cybercriminal can use to access a private network. An employee might receive a call or email from a bad actor impersonating an external IT expert or internal tech support professional. They may press the employee to give them their log-in information so they can upload a security patch, improve their computer’s performance, or render some other kind of IT service. If they successfully convince an employee to provide those credentials, they can use that access to infect a computer with malware that will then spread throughout the network.
Other kinds of social engineering attacks abound. Baiting attacks attempt to appeal to an employee’s curiosity—for good or for ill. For instance, cybercriminals may attempt to bait workers into clicking on a link to download free music, or as we mentioned earlier, they may leave flash drives around that appear to store sensitive company information. Clicking on any such link or plugging that kind of flash drive into a company computer can be enough to give hackers all the access they need. Tailgating is another method of social engineering that involves unauthorized personnel following employees into areas that would otherwise be off-limits. They may appeal to their goodwill by claiming they forgot their access card, only to use that access to get onto the organization’s network.
While these types of social engineering attacks might not be top of mind for many organizations, it’s becoming increasingly common—and increasingly successful. A recent report found that 83% of all companies were the victims of phishing attacks in 2018. What’s more, according to CyberEdge, the number of successful social engineering attacks continues to grow as the years go by. In 2014, 63% of social engineering attacks accomplished their goals. That figure rose to 71% in 2015, jumped to 76% in 2016, and hit 79% in 2017.
Is phishing a type of social engineering attack?
While quid pro quo, baiting, and tailgating have become prevalent in recent years, phishing might be the most well-known—and the most effective type of social engineering attack. While quid pro quo and baiting attacks attempt to fool employees into providing network access either by offering a service that workers think they need or by appealing to their curiosity to take advantage of real-world trust, phishing relies on creating a false sense of urgency.
Phishing, which is the most relevant kind of social engineering attack today, primarily targets regular employees outside of the executive suite. Workers might receive an email, an instant message, or be directed to a particular website that has been carefully constructed to look like it’s connected to a trustworthy source or reputable organization. Phishing has become increasingly sophisticated and hard to detect. Emails might include properly formatted hyperlinks, instant messages might appear to be coming from trusted personnel within an organization, and websites might have the appropriate branding and user interface.
However, what these forms of phishing all share is the urgency they try to create in the recipient. Phishing messages often appear to come from banks, government agencies, or a particular department within an organization. These attacks essentially threaten employees with some kind of blowback—an account being locked, activity being reported, funds being frozen—in order to get the recipient to immediately act without slowing down to use proper judgment.
If employees take the time to look closer, however, they’ll be able to notice discrepancies that indicate common phishing techniques, as well as tip-offs that someone might be attempting to steal sensitive information. For example, hovering over email hyperlinks may reveal a different destination than the text would convey. Similarly, demands to immediately verify log-in credentials—credentials that the supposed organization would not have a reason to request—are a telltale sign that employees might be the target of a phishing attempt.
What are harpooning social engineering attacks?
Phishing inherently casts a wide net. All it takes is one employee to fall for this kind of social engineering attack for cybercriminals to get the access they need. However, a similar type of social engineering—known as harpooning or whaling—takes a different approach. Rather than mass emails with the hope that at least one employee might fall for it, harpooning specifically targets executives—and does so with pinpoint precision.
The method of delivery with harpooning is typically the same as phishing. An upper-level management professional might receive what appears to be a particularly important work-related email. Bad actors will have taken the time to make the message seem like it’s coming from a legitimate entity, either within the organization or from a trusted third party. While phishing emails might run the gamut, from work-related materials to claims that employees have won a grand prize, harpooning scams attempt to draw executives’ concern for top-tier problems.
For instance, a harpooning attack might take a particular executive’s department into consideration and claim to be sharing highly sensitive materials relevant to their role. By doing so, these types of social engineering attacks aim to create the same sense of urgency in upper-level management as they do with regular employees—with the shared goal of getting people to click before they take the time to carefully investigate messages for any inconsistencies.
How can organizations protect themselves against social engineering attacks?
If organizations haven’t invested in staff security awareness training or cybersecurity tools specifically geared toward preventing successful social engineering attacks, it’s critical that they do. Defending against spear-phishing is an increasingly common priority for organizations of varying sizes and diverse industries. As an MSP, ensuring security measures are put in place is critical to help keep customers protected from the full range of tactics that cybercriminals will deploy.
To that end, MSPs should be able to provide their customers with the kind of social engineering attack prevention they need to maintain a safe IT environment. With the right email threat intelligence software—such as Mail Assure from SolarWinds—MSPs can monitor partner networks specifically for social engineering attacks, helping deliver anti-malware prevention and security against cybercriminals to those that need it most.