23. Social Engineering

Social Engineering

Social engineering is an important part of any security awareness training program because bad actors know that it works.

For cyber attackers, social engineering is an inexpensive method with potentially high payoff. Over time, it can extract significant insider knowledge about an organization or individual.

One of the most important messages in a security awareness program is the real and powerful threat of social engineering. Employees must become familiar with its types so they can recognize and resist these attacks.

Most social engineering techniques are not new. Many have been taught as basic fieldcraft for espionage agencies and are part of investigative techniques used by real and fictional police detectives.

Common Tactics

• Phone phishing or vishing: using rogue IVR (interactive voice response) systems to imitate a legitimate institution and trick victims into giving information such as account numbers, access codes, PINs, security answers, contact information, and addresses.
• Quid pro quo: asking for a password or login credentials in exchange for compensation, such as a free gift, payment, or access to an online game or service.
• Pretexting: impersonating an authority figure or trusted person to gain access to login information, computers, or other information.
• Tailgating: following an authorized user into a restricted area or system, or using a simple request to gain access and possibly install malicious software.

Key Point

Social engineering works because it plays on human tendencies. Education, training, and awareness are the best ways to defend against it because they show that every person in the organization plays a role in information security.