Social engineering is the act of manipulating and taking advantage of the weakest link in any organisation’s IT security defences: people.
This can also sometimes be known as “people hacking” and involves maliciously exploiting the trusting nature of human beings to trick people into performing actions or divulging confidential information like passwords and PINs.
The person or group behind the act will commonly use social pressure, deception or threats to influence a person into doing something against their interests.
Social engineering is not hacking. Hacking involves the use of computer technologies to gain unauthorised access to systems and networks. Students sometimes use the term ‘hacking’ when, in fact, they have shared their password.
Here are some examples of social engineering:
- “Support personnel” claiming that they need to install a patch or new version of software on a user’s computer, talk the user into downloading the software, and obtain remote control of the system.
- “Vendors” claiming to need to update the organisation’s accounting package or phone system, ask for the administrator password, and obtain full access.
Phishing emails sent by whomever to gather user IDs and passwords of unsuspecting recipients. These attacks can be generic or more targeted — something called spear-phishing attacks. The criminals then use those passwords to install malware, gain access to the network, capture intellectual property, and more.
The theory behind social engineering is that humans have a natural tendency to trust others, which makes it easier to trick someone into divulging personal information than it is to hack an account.
Why is social engineering an issue?
Social engineering can be used to steal credentials, violate people’s privacy and to obtain ‘high-value’ information, such as intimate images or trade secrets. This type of cyber-threat can be subtle and may appear as a simple request to help a friend. Spotting social engineering attempts can be challenging.
Five steps to protect yourself against social engineering
You can decrease your chances of social engineering by using these precautions:
- Set strong passwords and PINs for all devices and accounts
- Use two-factor authentication to secure all online accounts
- Never give out passwords and PINs and other confidential information to anyone
- Treat unsolicited emails with scepticism
- Review social media and other apps account activity regularly
Lastly, in the event you or your organisation falls victim of a social engineering scheme, it’s essential to back up your data. A reliable backup and recovery solution will allow business continuity and minimise the cost and risk associated with an attack.