Social engineering is a manipulation technique used to trick someone into transmitting sensitive data themselves.
This information can be personal or even confidential information allowing access to an organization’s computer network. Social engineering attacks, such as phishing (Phishing), are important vectors of cybercrime.
This technique is dangerous, because cybercriminals exploit the natural instinct of helping employees. Today, they are also using new methods targeting hybrid working vulnerabilities. These tactics bypass the different layers of security and are very effective in reaching employees.
Understanding this type of attack
It is important to understand how this practice works in order to be able to spot it and protect employees and the company. The purpose of social engineering is to deceive in order to encourage victims to voluntarily and in complete confidence communicate confidential information. For example, criminals use social networks such as LinkedIn to identify targets and leverage all accessible personal user information to craft compelling phishing emails. Identity theft is also a popular practice among cybercriminals. They take advantage of the anonymity that accompanies hybrid work arrangements to steal the identity of people: the technique of the employee of the company’s IT department works particularly well. In the company, we do not necessarily know all the members of the support teams.
Finally, malicious actors also target personal devices used in a professional setting. The rise of hybrid working has blurred the boundaries between work and private life, and employees are now using work devices for personal reasons and personal devices for work. Attackers take advantage of less secure personal computers or phones to infiltrate the business.
Spot social engineering
Being able to spot social engineering is key to combating this phenomenon. Among the different techniques, the request for login information (email and password) is very popular. The user may receive a message from a seemingly reliable source asking for login information, while there is no reason for a third party to request the login credentials of a collaborator.
Requests to verify personal information are among the practices appreciated by malicious actors, they are often accompanied by the promise of winning a prize or money. The technique consists of imitating an email address and the codes of a legitimate company to send fraudulent requests.
Stop social engineering attacks
Forrester recommends layered defenses to prevent social engineering strategies such as phishing, as most of these attacks are very effective at bypassing layers of cyber protection. It is therefore advisable to combine endpoint protection, protection DNS and email security. Security awareness training for employees is also essential to combat social engineering because it makes employees the best bulwark against threats.