Social Engineering 

Social engineering attacks include phishing, spear-phishing, CEO Fraud, Ransomware and so much more. Learn about different attack methods used by the cyber criminals and how you can manage this ongoing problem and mitigate the risk.

Schedule a Demo

What is Social Engineering?

Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishingspear phishing, and CEO Fraud are all examples.

Social Engineer

So, who are these people? It could be a hacker in the USA who is out to do damage or disrupt. It could be a member of an Eastern Europe cyber crime mafia that is trying to penetrate your network and steal cash from your online bank account. Or, it could be a Chinese hacker that is trying to get in your organisation’s network for corporate espionage. 

Ask Me Anything with Kevin Mitnick on Social Engineering

KnowBe4's Chief Hacking Officer, Kevin Mitnick, sat down with our team for an exclusive interview where we could ask him anything. We thought you’d like to hear his answers, too. Ever wonder what he thinks about social engineering and pen testing, how he got into the business, why he works with KnowBe4? Find out now, it's 7 minutes well spent!

Top 10 Techniques Used by Social Engineers

Phishing
Spear-Phishing
Pretexting
Diversion Theft
Baiting
Rogue
Quid Pro Quo
Honeytrap
Tailgating
Water-Holing
Phishing

Phishing

The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.

Spear-Phishing

Spear-Phishing

A small, focused, targeted attack via email on a particular person or organisation with the goal to penetrate their defences. The spear phishing attack is done after research on the target and has a specific personalised component designed to make the target do something against their own interest. Here is more about how they do it.

Pretexting

Pretexting

An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It's a false motive usually involving some real knowledge of the victim (e.g. date of birth, National Insurance number, etc.) in an attempt to get even more information.

This was the method used in the recent Twitter breach.

Diversion Theft

Diversion Theft

A 'con' exercised by professional thieves, usually targeted at a transport or courier company. The objective is to trick the company into making the delivery somewhere other than the intended location.
Baiting

Baiting

Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labelled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.
Rogue

Rogue

Also Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware, rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is very popular and there are literally dozens of these programs.
Quid Pro Quo

Quid Pro Quo

Latin for 'something for something', in this case it's a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support. They will call everyone they can find at a company to say they have a quick fix and "you just need to disable your AV". Anyone that falls for it gets malware like ransomware installed on their machine.
Honeytrap

Honeytrap

A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.
Tailgating

Tailgating

A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorised user to open and pass through a secure entry and then follows right behind.
Water-Holing

Water-Holing

This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.

Did you know that 77% of successful social engineering attacks started with a phishing email?

How many of your users will take the bait and reply to a spoofed email?

Did you know that 60% of spoofed email attacks do not include a malicious link or attachment? KnowBe4's new Phishing Reply Test makes it easy for you to check to see if key users in your organisation will reply to a highly targeted social engineering attack, before the bad guys do.

10 Ways To Make Your Organisation A Hard Target

    1. With any ransomware infection, nuke the infected machine from orbit and re-image from bare metal.
    2. Get Secure Email Gateway and Web Gateways that cover URL filtering and make sure they are tuned correctly.
    3. Make sure your endpoints are patched religiously, OS and 3rd Party Apps.
    4. Make sure your endpoints and web gateway have next-gen, frequently updated (a few hours or shorter) security layers, but don’t rely on them alone.
    5. Identify users that handle sensitive information and enforce multi-factor authentication for them on absolutely everything, business & personal.
    6. Regularly review your internal security policies and procedures, specifically related to financial transactions to prevent CEO fraud. Have a two-tier payment authorisation process.
    7. Check your firewall configuration and make sure no criminal network traffic is allowed out to C&C (Command & Control) servers.
    8. Leverage new-school security awareness training, which includes frequent social engineering tests using multiple channels, not just email.
    9. You need to have weapons-grade backups in place that are regularly tested.
    10. Work on your security budget to show it is increasingly based on measurable risk reduction, and try to eliminate overspending on point-solutions targeted at one threat-or-another.