How Social Engineering Impacts Security

Posted on 12 September 2017

Social engineering scams – which involve manipulation, influence or deception in order to gain access to information or systems – are on the rise. A robust security strategy has never been more crucial to meet the challenge these sophisticated scammers pose.

We’re all aware that hackers will often take advantage of genuine security gaps in your network, which is why organisations employ so many different technologies and solutions to keep them out.

Regardless of the lengths they go to, layers of sophisticated computer security can be undone in seconds because one employee – whether because of trust, lack of awareness, or carelessness – reveals company information to someone with malicious intent. This is social engineering, and it can have a devastating impact on your organisation.

Employees could be tricked into anything, from allowing someone to physically follow them into your data centre, to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, including:

  • Personal Information – passwords, account numbers
  • Sensitive Company Information – phone lists, identity badges
  • Server Info – servers, networks, non-public URLs

Understanding the Techniques Behind Social Engineering

So, how do you defend against such tactics? Well, familiarising yourself with social engineering techniques is your first line of defence. So, what does a social engineer actually sound like? You might believe that social engineers would be easy to spot, but often enough, they sound like the people you run into at work every day. Below are a number of common scenarios that your staff could encounter:

  • On the phone: “This is Kevin from IT. We’ve been notified of a virus on your department’s machines.” This is one of the most common scams where a hacker poses as an IT help desk worker to glean sensitive info such as a password from an unsuspecting employee.
  • At the reception desk: “Hi, I’m the service tech from HP and I think Ellen is expecting me at 1pm.” This is why it’s so important that well-meaning staff members and other insiders need to be educated as to how and why they could be targeted and what to do if they suspect a potential threat.
  • At the building entrance – “Oh! Wait, could you please hold the door? I left my key/access card in my car.” People want to be helpful, and they often downplay the risks of engaging with someone they don’t know—and that can be a perilous mix.
  • Digital social engineering – the one we in the cybersecurity world are most familiar with. From email phishing scams, phony social media accounts, deepfake calls that imitate high ranking company officials, scareware, pharming, waterholing, and much more – there are many methods of attack that cyber criminals use to infiltrate your organisation. Being able to recognise them is your first line of defence, so head to this blog to find out more.

The focus on interactions and human emotion is where social engineering gets its name from, and it’s a vulnerability inherent in people that’s exploited. That’s what makes it so dangerous: no matter how many defences are in place, one person can let that fall away in just a moment.

You understand that social engineering is a threat now, but how do you defend against it?

Keep reading on our next blog about defending against social engineering, or get in touch with our team to ask about social engineering and your organisation.

A few people we've already done it for