Cybercriminals are always looking for a way to enter your organization. But what if they didn’t need technical knowledge to hack into your network? What if they just tricked you into letting them inside?

For example, a cybercriminal might pose as the president of your company and e-mail your employee a malicious link saying they need to update their account. An employee who may not have constant contact with this person could think it’s real, click on the link and end up divulging their credentials to the cybercriminal. The cybercriminal can then use these credentials to move around the network. They can also pose as the employee and spread more malware to others.

This scenario is an example of phishing, which is a form of social engineering.

social engineering

Source: Cybersecurity Nexus

What is Social Engineering?

Social engineering is a tactic cybercriminals use to enter your organization without hacking or breaking in. Instead, they use deception or manipulation to mislead employees into divulging confidential or private information.

Social engineering works because people tend to have an inherent trust in others. Anyone can fall victim to social engineering regardless of seniority. Knowing how social engineering works is a good way to recognize and prevent these attacks before they happen.

5 Common Social Engineering Tactics

Phishing: Phishing is the most common form of social engineering and the most effective. In fact, 43% of data breaches start with phishing. Phishing is usually spread via email, which is the most common method of communication within an organization. Cybercriminals send legitimate looking emails with the hopes that potential victims click on links and give up credentials.

Pretexting: Pretexting is the art of lying to obtain information and is the basis of all social engineering attacks. This usually involves a scam where they impersonate an authority, gain the victim’s trust and then convince the victim to divulge information. This method is done through all methods of communication including as over the phone, in person and texting.

Baiting: Baiting is when cybercriminals entice potential victims with promises of free prizes or downloads for doing things like completing surveys or signing up for a website. This can also include free physical items, like giving out infected USB drives that spread malware when plugged into the victim’s computer.

Watering Hole: A watering hole attack is when hackers infect legitimate websites with malware by altering codes or exploiting vulnerabilities. That way, when potential victims visit the website, they become exposed to a virus that could infect their computers. This is usually a targeted attack where cybercriminals find out what websites potential victims frequently visit and infect those sites.

Typosquatting: Typosquatting is a form of cybersquatting where hackers purchase URLs that people commonly mistype. That way, if a user accidentally types in the wrong web address, they are redirected to a malicious website instead. For example, a user types yahooo.ca instead of yahoo.ca. Similar to phishing, these websites could look legitimate which can fool a person into using it.

3 Ways You can Protect Yourself

Cyber Security Awareness Training: Awareness is key to fighting off cybercriminals. Educate your employees on the dangers of social engineering. At Jolera, we have a 90 minute course that explains common cyber threats your employees face and how to avoid them.

Double Check Everything: Make sure you verify that the recipient of an email you’re sending or receiving is legitimate. Also, don’t download any attachments in any emails unless you’re absolutely sure that they’re from a trusted source.

Limit Sharing: Be aware of the information you are releasing on the Internet and the consequences it can have. It’s easy for cyber criminals to take innocuous and innocent information and use it against you.