Cybercrime is now the world’s third-largest economy coming in behind the United States and China. The only thing more terrifying than its size, is the speed at which the popularity of this crime is growing.
What is social engineering
Social engineering is a form of cyber and physical security attack used to manipulate business personnel to gain access to confidential information or restricted areas. That includes customer data and general company intelligence. A basic example of social engineering is an employee being sent an email by someone posing as a trustworthy figure to request information. Attacks like that are well disguised, which means most people are not aware that they could be giving access and information to people with malicious intent.
Why SMEs should care about it
It’s an outdated assumption that SMEs are less attractive targets for social engineers, because they have smaller scope than large corporations. In fact, SMEs are becoming more attractive because the lack of social engineering awareness makes them easier to get to. Larger corporations integrate awareness into their training programs, which means awareness is far higher and there are controlling measures put in place. Technology advancements have also widened the scale at which SMEs operate, which means a lot of their business is now conducted online – including payments. That makes them the gate to sensitive online customer data, that social engineers can leverage for malicious purposes.
6 common social engineering techniques that affect SMEs
1. Phishing
In phishing attacks, SME owners or members of staff are sent emails that appear to be from a reputable source. In those emails, people are asked to provide confidential information, or to click on legitimate-looking links – for example, password reset links. Unaware recipients can easily fall for this and end up putting sensitive information into the wrong hands, or downloading malware onto their computer. That information can be used by social engineers to commit other attacks, and malware can be used to access and control computers.
Ransomware, a type of malware, is increasingly affecting SMEs. Once ransomware infiltrates your system, it spreads quickly, encrypting critical files and disrupting operations. The attackers then demand a ransom payment, often in cryptocurrency, to decrypt your data. The pressure to restore functionality combined with the fear of data loss can lead to businesses paying the ransom, despite experts advising against it.That makes it critical for staff to be trained not to open emails, links or files from unfamiliar sources. Having a policy in place to enable employees to report such incidents is also a good idea.
2. Pretexting
Pretexting attacks are like phishing attacks, but more targeted. The social engineer impersonates an authoritative, known or trusted figure and creates a fabricated scenario. The social engineer tries to build trust to come across as genuine as possible, which can convince the recipient to provide information. Once the social engineer has their desired information, they can commit further acts of fraud. An example of this would be to act like a client that requires urgent information about their account. Again here, awareness and training among staff can be very effective in preventing such targeting, supported with company policies and protocols. One protocol could be to always verify requests for information with management, before hitting reply and giving sensitive information away.
3. Baiting
Baiting attacks feed off people’s curiosity or greed. Social engineers may send an email with an attachment or free download/sample link, which places malware on recipients’ computers if opened. Social engineers who have gained access to premises could also leave USB drives visible on an employee’s desk to pique curiosity. When the employee plugs the USB drive to check its content, it places malware on their computers. Once the malware is installed on a computer, social engineers can use it to gain control and access information. Staff members should be alerted to signs of baiting, and never open any files or links without questioning where they’ve come from.
4. Tailgating
Tailgating is where social engineering becomes more palpable. It leverages people’s natural tendency to be courteous to others. A typical example of this is a social engineer walking close enough behind an employee to prompt him or her to hold the door to a restricted area open for the intruder. Politeness in this case can be costly. Once the social engineer gets past the door, they have gained access to potentially valuable assets or data. That makes it critical to train staff not to leave doors open for people behind them unless they are a known colleague.
5. Shoulder surfing
Shoulder surfing attacks involve social engineers physically watching over people in public spaces, where they could be doing some offsite work. For example, a social engineer may attempt to watch an employee logging into their company network on their laptop and try to capture their login details. Or the social engineer may try to view any confidential information the employee has up on their screen. The social engineer could then attempt to steal and access the laptop or use confidential information as intelligence for further attacks or resale. If working out of the office, employees should use a laptop privacy screen filter to limit what others can see, and never leave their laptops unlocked.
6. Eavesdropping
Eavesdropping attacks take place under similar circumstances are similar to shoulder surfing, but social engineers listen as opposed to watch. An example of this is employees having an external lunch, or an offsite meeting in a public place. Social engineers are then presented with an opportunity to listen in on conversations, and potentially pick up confidential information. As with shoulder surfing, social engineers can use confidential information to their advantage for further attacks, such as pretexting or baiting. To prevent that, staff should be mindful of where they hold conversations and take business calls, and always do so in private areas.
6 pitfalls SMEs must avoid making
Social engineering thrives on unsuspecting victims. Just a single lapse in judgment can open the door to a cyberattack. But by equipping your employees with knowledge and fostering a cautious culture, you can significantly reduce the risk of falling prey to these deceptive tactics. Here are 6 common pitfalls your SME should avoid:
- The Curiosity Trap: Don't let enticing offers or suspicious attachments pique your curiosity. Treat unsolicited emails, files, and USB drives with suspicion, regardless of how tempting they seem. Always verify the sender and purpose before interacting.
- The Urgency Trap: Don't be rushed into action. Feeling pressured to send information or grant access quickly is a classic social engineering tactic. Take your time, verify requests, and don't hesitate to consult trusted colleagues or IT support before responding.
- The Authority Trap: Not everyone in a suit or claiming to be from IT is legitimate. Verify caller ID, email addresses, and company information before providing sensitive data or access. If unsure, contact the organization directly through official channels.
- The Courtesy Trap: Holding the door open can be a polite gesture, but be mindful of who's following you. In unfamiliar situations, politely decline access or verify their purpose before allowing someone into restricted areas.
- The Openness Trap: Public spaces are not for confidential conversations or exposed screens. Be mindful of your surroundings and keep sensitive information under wraps, both physically and digitally. Use privacy filters and avoid discussing confidential matters in open areas.
- The Isolation Trap: Feeling isolated or stressed can make you more susceptible to manipulation. Encourage open communication within your team and create a safe space for employees to ask questions and report suspicious activity.
Remember, social engineering isn't just about technology. It preys on human behaviour. By staying aware of these common traps and fostering a culture of caution and communication, you can empower your employees to be the first line of defense against these deceptive attacks.
