Social Engineering is the use of deception in order to manipulate the victim into performing an action for fraudulent purposes. The bad actor gains the trust of their targets and may be wanting to acquire access to sensitive data or finances, infect devices with malware or steal credentials. There are various methods of social engineering. Physical access, Business email compromise (BEC) and USB baiting. Some of the most popular, and successful types of attacks are through the use of phishing, smishing, vishing and quishing.
What’s the difference?
- Most are familiar with the phishing attack. This involves an email with a fraudulent attempt to gain sensitive information from the victim. The deception involves impersonating real, trusted senders that may include links to fake websites with the intent to steal credentials and gain access to sensitive information.
- Smishing is a form of phishing but involves the use of text messaging, SMS. The attacker will send an SMS to the target requesting confirmation or access as it leads to a malicious website. Through the use of familiar phone numbers, the victim may fall into the trap.
- Voice phishing is called vishing. This form of attack involves the miscreant making phone calls to trick the target into sharing sensitive information or preforming specific actions. The attacker may pose as a trusted employee performing routine office tasks in order to gain trust. A sense of urgency or fear may be relayed to make the victim act.
- QR codes are used by cyber attackers to lead the user to a malicious website. This is quishing. The prey may then be directed to download software or apps or enter in personal information.
All of these forms of social engineering are meant to trick and gain unauthorized access to critical information. Therefore, it is important to protect people and assets by implementing some basic security roadblocks.- Train people. Security awareness programs are essential to making people aware of the threats and potential implications of falling victim. Emphasis on recognizing suspicious contacts or requests will empower the user.
- Use email filter to block suspicious emails.
- Use multi-factor authentication. (MFA)
- Verify the identity of anyone requesting sensitive information in person.
- Implement the practice of least privilege.
- Create policies for access and change of critical processes, assets and data.
Resources:
‘Quishing’-The Emerging Threat of Fake QR Codes
Phishing, Quishing, Vishing, and Smishing