Why choose a social engineering penetration test?
Most security professionals agree that human error is the biggest security risk to their business. It doesn’t matter how tightly bolted your front door is, if your gate keeper allows the parcel delivery person to walk straight into your office without confirming their identity, the security of your critical data is in jeopardy. When it comes to cyber resilience, it is not just about testing your security controls, you must also test the effectiveness of your physical security procedures. After all, one quarter of all cyber breaches are due to human error.
What are the top 5 methods of social engineering attacks?
The term ‘social engineering’ covers a broad range of attack methods. However, these are the top 5 attack methods you should be looking out for.
There are many different types of phishing attacks, these include:
- Spear phishing: In these email attacks, hackers pose as friends or colleagues. These bad actors invest a lot of time researching detailed information about their victim including name, age, position, language used on social media as well as likes and interests.
- Whaling: Whaling is very similar to spear phishing, but instead they target senior leaders within the company such as Director’s or CEO’s. These kinds of attacks can take months to effectively execute.
- Angler phishing: In these attacks, hackers masquerade as customer service teams. They target unhappy customers on social media (most commonly for banks) in an attempt to gain access to bank accounts.
- Vishing: This is a form of fraud conducted over the phone. Criminals use social engineering tactics to coax victims into revealing private financial information or passwords to corporate accounts. Hackers commonly pose as service desk engineers or accounts departments when targeting businesses.
- Smishing: This is similar to vishing, but instead uses SMS to fraud victims. There have been many Covid19 smishing scams during the lockdown period. The hacker sends a malicious link which infects your mobile device if clicked.
Tailgaiting is a method commonly used against large corporations where employees are unlikely to know every member of staff. This form of attack involves gaining access to an organisation’s physical office space. Attackers often ‘piggy-back’ behind employees by asking them to hold the door to a private building. Another tactic is to ask to borrow a device or for the password to the corporate WiFi.
This attack vector involves impersonating a person of trust such as an IT manager or an authoritative figure within the business. If conducted convincingly, pretexting can be an effective way to pressure staff into transferring funds or revealing information about security vulnerabilities. After establishing trust, the attacker proceeds to ask a series of questions to help to ‘prove their identity’ which is a way of manipulating the victim into revealing privileged data.
Baiting is the act of luring a victim to click on, download or install malicious ‘bait’. This digital bait manifests itself in many forms, it could offer enticing information such as a document detailing a financial bonus, or a memory stick which is labelled ‘Business turnover summary 2020’. Once downloaded onto the user’s device the hacker is able to access the private network, steal business critical data or monitor user activity.
Rogue Wifi access point:
Hackers or penetration testers install an ‘evil twin’ WiFi access point with a similar name to the corporate network. It is only a matter of time before an employee with poor internet access will connect to the malicious AP. Once a user connects, the hacker is provided with an entry point to the private network.
How to protect against social engineering attacks?
To protect your business against social engineering attacks, it is important to promote a culture which is built around strong Cyber Security protocols. Your employees need to be regularly trained to recognise key social engineering tactics. Although social engineering attacks are not always easy to spot, staff should be suspicious of psychological methods which provokes a state of fear or urgency. They also need to be cautious before opening email attachments, downloading software or clicking on links in emails.
Regular social engineering penetration tests are a good way to test the resiliency of security procedures. It is a chance to identify your security weaknesses and test the effectiveness of your employee training in a real-life scenario. Social engineering penetration tests can be conducted in the form of a simulated phishing attack, an onsite access assessment or a combination of both. As CREST certified penetration testers we are well placed to support your business with all penetration testing needs. Call us on 0121 663 0055 if you would like to talk to a CREST penetration testing expert about your requirements.