What is Social Engineering and how to protect your business
Social engineering can take many different forms, with the aim of extracting valuable data from organisations to make unlawful financial gains.
A social engineering attack is often meticulously researched and planned out by the cyber criminal so that their scam targets the right person in the most effective way.
What is it?
It’s a technique used to trick someone into disclosing information or carrying out an action.
Social engineering covers a range of malicious cyber activities that are dependent on human error and instinct. Social engineers may psychologically manipulate you into:
- Giving them access to sensitive or confidential information
- Sending them confidential information
- Infecting your computer with malware or ransomware
- Opening links to sites that are infected
In many cases, hackers use social networking channels to research key employees of the businesses they’re targeting. This insight helps them to gain your trust, leaving you completely unsuspecting when the attack happens.
By humanising their approach – be it in person, by phone or email, you’re tricked into doing something you’d normally question – because it goes against policy for example.
Types of social engineering techniques
Here are just a few of the many techniques used in social engineering:
This is the most common form of social engineering, where a fake email, text message or website requesting confidential information e.g. passwords or bank details, appears genuine.
For example, an email address may:
- Match your company’s format
- Include a supplier’s details
- Contain an official source like a bank or tax office
This leads you to open the email or link and act upon the request which usually has a sense of urgency about it.
Find out more about how to protect your business from phishing scams.
This is a form of malware that’s used to infect your computer and prevent access until you pay a ransom – instilling fear and panic.
The attacker often uses phishing to send an email containing an infected attachment for you to open, or a link to an infected website that automatically downloads the malware to your computer.
Find out more about how to guard against Ransomware.
Similar to phishing, an example of pretexting is where the hacker sends an email posing as your colleague or a known person of authority, requesting confidential information.
This adds a layer of trust so you’re more likely to divulge the information requested or open an attachment.
This relies on one or more targets taking the ‘bait’ that the cyber criminal has set up.
An example of this would be a USB stick left on your desk that’s been loaded with malware and when you plug it in, it’s leaked into your computer network.
The device may be labelled as ‘confidential’ or something similar, to increase your curiosity.
Quid pro quo
Meaning something for something. An example is where you’re called by a hacker who’s posing as someone else, for example an IT specialist.
They may offer you free technical support or an IT assessment, in exchange for your login details – which then allows the hacker direct access to confidential data.
Hackers using this technique have probably introduced themselves and their services to you previously, so there’s a level of trust established before the attack happens.
This is where you allow someone to enter a restricted area either immediately after you, by holding a door for them, or by lending your security card to them.
You may have seen them around the building before and assumed they work there, or simply trust them or their cover story.
This then gives the hacker free rein to plant their bait or directly install malware into a laptop or computer system.
What businesses are at risk?
Small to medium businesses through to large enterprises are affected by social engineering.
An attack on a larger organisation may result in a bigger reward for the hacker but can be harder to pull off, requiring more time and planning.
Smaller companies can be seen as easy pickings because they often have a lower level of risk mitigation.
It also depends on the type of social engineering used. For example, hospitals and government institutions are at high risk of a ransomware attack because they are more likely to pay the scammer to release the files they require urgent access to.
How can social engineering affect your business?
Falling victim to an attack could cost your business dearly. This can be in monetary terms, for example through business interruption losses, official fines, and ransom payments but it often extends beyond this.
For example, customer data that’s been hacked may be sold on or leaked, losing you existing and future business as a result of reputational damage.
If your data is held to ransom, as well as business operations being put on hold temporarily, there’s a chance you’ll lose sensitive information permanently.
Practical steps to prevent social engineering attacks
Here are some more practical ways to keep risks to a minimum:
- Use an anti-virus software, anti-ransomware, and firewall, and keep them up to date
- Back-up your files automatically
- Track when sensitive files are downloaded
- Make sure your spam filters are set to high
- Use a password manager tool to avoid duplication of passwords
- Don’t open emails or attachments from an unknown source
- Don’t click on embedded links from an unknown source
- Don’t download any unknown software
You may wish to arrange a security assessment with a specialist risk management company who can identify vulnerabilities and advise on how best to address them. Our cyber tools section explains more about how penetration testing can help.
The Government’s Cyber Security Breaches Survey 2019 highlights the importance of staff vigilance as a key factor in mitigating risk, as the majority of cyber attacks and breaches have come via employees.
Social engineering is directly linked to human error and emotion so training your employees to question every communication before acting on it, could be the biggest defence.
Find out how the Government Cyber Essentials training could help your business.
How can cyber insurance help?
Having a comprehensive cyber insurance policy in place can play a vital role in protecting your business.
However, not all policies include social engineering as standard. Some may offer it as an add-on and some may significantly cap the amount you can claim for, so check the exclusions and small print.
If your policy offers protection against social engineering and you fall victim to an attack, you’ll be able to make a claim.
This should compensate you for your losses up to the maximum value in your schedule, and you’ll receive support in dealing with the aftermath.
This often includes support from PR specialists who can help repair the reputational damage your business has suffered.
Social Engineering FAQs
Am I covered against social engineering on my cyber insurance policy?
Not necessarily. You may need to pay extra to add specific social engineering cover on. You’ll need to check the policy wording document and exclusions.
Are large organisations more likely to be targeted than small ones?
No, this isn’t always the case. Small companies may not have as robust protection in place as larger companies, making them appear an easier target.
How is social engineering linked to human error?
Different techniques pray on different emotions and responses. For example ransomware can instill fear and panic, baiting can rely on our curiosity and tailgating takes advantage of our trusting natures.
The attacks have been ‘engineered’ to exploit our natural characteristics and instincts.
What’s the most common type of social engineering attack?
Phishing is the most common technique used, perhaps because emails can be targeted to one and all.
It’s also a communication tool we rely on heavily and not necessarily one we think of as a weapon, so it’s easy to be caught off guard.
How do I work out what vulnerabilities my business has?
If you don’t have an employee covering this role in-house, there are external companies that offer penetration testing.