The present-day con artists are very well aware of the weakest link in an arbitrary organization that they intend to hack into. It’s not really the firewalls, military-grade encryption or cutting-edge intrusion detection systems. It’s the human factor and cognitive biases which can be manipulated for malicious purposes in social engineering schemes.
Kevin Mitnick, America’s most wanted cybercriminal back in the late 1990s and now a distinguished white hat hacker, once said:
The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network.
The time goes by, but the relevance of this statement persists. The ultimate objectives of such frauds being corporate data theft and private credentials harvesting, there exist quite a few social engineering techniques whose high efficiency is unfortunately indisputable.
As a demonstration, one of the prevalent methods, phishing, is based on the use of bogus emails that look as though they were sent from a legitimate source. The recipients are requested to click on a link to a spoof web page branded as a trustworthy site, where they are told to enter strictly confidential information such as banking credentials or passwords. The term “spear phishing” denotes a more targeted technique which implies some profiling of the victim prior to the attack. The telephone-based counterpart of this scam called “vishing” (voice phishing) relies on fake IVR services in order to wheedle private data out of unsuspecting people. The technique known as “quid pro quo” (“something for something” in Latin) is another type of phone related trickery where someone like a fake tech guy persuades victims into handing over their login information.
Contagious attachments in enticing and legit-looking emails are a widespread instrument to distribute malicious software on a large scale. Such messages are often sent from company employees’ compromised email accounts for greater credibility. The payload for a backdoor or Trojan horse gets executed behind the scenes once the user opens the attached file.
Essentially, most of these hoaxes are virtual and remote. There are social engineering methods out there, though, which involve more of a physical interaction with the victim. Shoulder surfing, tailgating and baiting are the most frequently encountered ones.
To its credit, social engineering can be used for attack prevention purposes, like in penetration tests where an expert is hired to check how cautious the employees are. This helps organizations prioritize security tasks and adjust the respective corporate policies. In the meanwhile, the main countermeasure for social engineering frauds is keeping security awareness within a company on a consistently high level.