Not all cyberattacks require high-tech wizardry to pull off. Attack vectors requiring technical knowledge certainly do occur, but a good portion of cyberattacks begin with simple social engineering.<\/p>\n
The most common form of social engineering is phishing. However, it\u2019s not the only form. In this blog, we\u2019ll talk about phishing and several other forms of social engineering. But first, let\u2019s talk about what social engineering is and why it\u2019s so effective.<\/p>\n
Hacking involves breaking into a network or device by exploiting vulnerabilities in code, IT infrastructure, the network, or device communications. Social engineering, on the other hand, exploits vulnerabilities in human psychology.<\/p>\n
Humans are both wired and socialized to fall for some of these schemes. For example, one of the major social engineering techniques involves using authority to gain compliance. Most humans obey authority instinctively. That instinct gets reinforced throughout their lives by parents, teachers, police officers, and even doctors.<\/p>\n
However, scammers can \u201cborrow\u201d this authority to achieve the same type of compliance from people and trick them into giving up money or personal information. For example, a scammer might pose as a technical support professional from Apple, claim the target\u2019s computer was hacked, and ask them to install a \u201csecurity\u201d package that gives the attacker remote access to the machine. Tech support schemes like this one have been around for a while and don\u2019t require hacking skills. However, criminals can also pose as other types of authorities like health officials, IRS officials, or private investigators.<\/p>\n
While there are other vulnerabilities, we\u2019ll save covering those for another day. Instead, it\u2019s important to understand the different ways criminals launch their attacks.<\/p>\n
The most common social engineering attacks occur via email. Phishing schemes involve sending out bulk email attempting to lure recipients into giving up personal information. Spear-phishing involves a more targeted approach. Criminals perform reconnaissance against a high-value target like an executive, then craft extremely convincing emails based on the intelligence they\u2019ve gathered.<\/p>\n
Both attacks occur over email. However, social engineering attacks don\u2019t stop with the inbox. Here are a few other common attacks:<\/p>\n
Voice phishing, or vishing for short, refers to phone phishing. Vishing is an easy method for scammers to make money because it\u2019s easy to forge caller ID and use automated messages. In general, most people have become used to companies using automated voice messages, so scammers can take advantage of this. Plus, once someone answers, the scammer can get on the phone and guide the victim toward the desired outcome.<\/p>\n
A common example might include someone using an automated voice system and dialer to call people from a fake caller ID (which helps conceal the scammers) claiming the victim has been hacked. Once the recipient responds, a human can get on the line and try to get them to install or remote access tools, giving the scammer control over the victim\u2019s computer.<\/p>\n
As texting has become more common, criminals have shifted toward using SMS messages to phish people (this is called smishing). People may receive a message like, \u201cYour bank account has been compromised. Please click the link to unlock your account.\u201d Once that occurs, the victim goes to the site and enters their bank credentials, which scammers then use to steal funds.<\/p>\n
Smishing attacks aren\u2019t as widespread as email phishing, but they\u2019re becoming more common. In fact,\u00a0some reports<\/a>\u00a0claim 15% of enterprise users have received a smishing message. It\u2019s important to make customers aware of the dangers of clicking unsolicited links in their text messages.<\/p>\n Ultimately, if there\u2019s an easily usable communication method, criminals will find a way to weaponize it as a phishing tool. Social media is no exception. Creating false social media profiles can be an easy method of tricking people into giving up important information. A criminal may attempt to impersonate a friend by using their photos and name and ask for money via a link. Plus, people often have their guards down when using social media\u2014especially on mobile\u2014when compared to using work email.<\/p>\n Baiting plays on people\u2019s natural curiosity to get them to perform an action. Most commonly, this refers to someone leaving a piece of physical media like a USB drive lying around in plain view, assuming a passerby will then plug it into their computer to examine the contents. However, these USB drives often contain malware and start the process of compromising a system or a network.<\/p>\n Another social engineering attack that occurs outside of cyberspace, tailgating refers to the practice of trying to enter an unauthorized physical area. One common method involves a criminal trying to get into a company\u2019s building by asking an employee to hold the door for them and claiming they\u2019ve forgotten their badge or key. This preys on people\u2019s manners but can lead to employees letting malicious actors in just long enough for them to cause damage to the network.<\/p>\n Social engineering requires strengthening the human element of security. Odds are good you already offer some form of user security training to keep users from falling victim. If you do, make sure your training goes beyond covering email threats like spam, attachments, and phishing to ensure customers also know to be careful on other channels like text or social media. Additionally, make sure your training reminds people to avoid using unknown physical media like USBs, CDs, or DVDs and to think twice before letting someone in the building. Also, consider providing frequent refreshers so people stay vigilant.<\/p>\n Another important thing to remember is social engineering is typically only one piece of a larger attack. For this reason, having other layers of security in place can make a major difference in your customers\u2019 security postures. This means keeping up with patching, running frequent backups, and installing endpoint protection on devices.<\/p>\n SolarWinds\u00ae<\/sup>\u00a0RMM offers patch management, integrated backup, web protection, and email protection. You can also run advanced endpoint protection via SolarWinds\u00a0Endpoint Detection and Response (EDR)<\/a>, powered by SentinelOne, alongside SolarWinds RMM to discover and fight back against advanced threats at the endpoint level. Learn more about both SolarWinds EDR and\u00a0SolarWinds RMM today<\/a>.<\/p>\n Jay Pitzer is Senior Manager, Product Marketing at SolarWinds MSP<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Although email is one of the most used vectors of cyberattacks, we look at other ways cybercriminals get their fingers on your assets.<\/p>\n","protected":false},"author":52,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-6093","post","type-post","status-publish","format-standard","hentry","topic-security"],"acf":[],"yoast_head":"\nSOCIAL MEDIA PHISHING<\/h4>\n
BAITING<\/h4>\n
TAILGATING<\/h4>\n
PROTECTION AGAINST SOCIAL ENGINEERING<\/h4>\n