What is Social Engineering and Why You Should Care
June 11, 2018
“Social engineering” refers to different tactics used by perpetrators to trick, deceive, and manipulate people into giving out information for the purpose of gaining access to computer systems and sensitive company data.
Types of Social Engineering Attacks
Social engineering attacks are divided into two main categories:
- Targeted attacks, which involve sophisticated techniques and are aimed at specific organizations.
- Mass attacks, which use basic tactics and are typically aimed at a large number of individuals.
Common social engineering tactics include:
-
Messages from “co-workers”
When a hacker gains access to a company’s user accounts, he or she can send messages out to other employees, posing as a fellow employee. In general, these messages contain only a link or a document that needs to be downloaded. If you receive an email or message that looks suspicious, it’s better to double check with the sender before accessing the link or downloading the document.
-
Spear phishing attacks
A phishing attack occurs when a phisher sends emails or messages that appear to come from a legitimate organization, such as a bank or a company that you do business with. Most spear phishing emails and messages state that there’s some kind of problem and require employees to verify security information by clicking on a link or providing specific data, such as personal information, passwords, or access details. After obtaining the information required, the hacker is able to access the company’s information system by using a legitimate login.
-
Vishing
Vishing is another type of social engineering attack. Sometimes, cyber criminals call up different organizations and pretend to be representatives from other companies, auditors, or team members who have lost their passwords. Then they require employees to give them login details to internal servers, so they can access company accounts. Both phishing and vishing can give hackers the information they need to impersonate staff members, access confidential information, and even arrange fraudulent payments.
-
Dumpster diving
This form of social engineering involves searching through a company’s trash for information that can be used to access its database. Unfortunately, many companies discard documents and electronic devices that contain sensitive information making this worth the dive through their trash.
-
Tailgating
This is another common tactic social engineers use in order to physically get inside facilities. Assuming that a person is a co-worker who doesn’t have his access card on him, a real employee may allow him to enter the facility without question.
For years, social engineering has been a successful way for perpetrators to get inside computer systems and organizations.
Minimizing the Risks
Here are a few tips on how you can reduce the risk of social engineering attacks schemes.
- Inform your employees about the dangers of social engineering exploits. All of your employees should be aware that social engineering attacks are real and be familiar with the most common tactics.
- Develop a comprehensive security awareness program that addresses general phishing threats and targeted cyber attacks. As an example, require your staff to log out of their accounts whenever they’re away from their workstations.
- Instruct your employees to never open any emails from suspicious sources and contact the real sender by using the information you have on file and not the information provided in the email.
- Make sure that your organization carries adequate cyber liability coverage and uses advanced firewall, antivirus, and intrusion detection software as well as complex login solutions, such as multi-factor authentication.
Social engineering attacks can be more complex, dangerous, and harmful than a simple data breach. While user education is the best defense against these attacks, comprehensive cyber liability coverage is particularly critical for protection against social engineering-related claims.
Currently, cyber liability coverage isn’t automatically added to unendorsed general liability policies. As well, cyber liability policies can be subject to sublimits and exclude certain risks. To make sure that your policy provides a reasonable level of protection, it’s best to contact our experienced insurance specialists who will review your current policy and determine if you have adequate cyber liability coverage for specific threats.