Information Security and IT Compliance News

Social Engineering is a tactic used by malicious actors to attack the weakest link in the cybersecurity chain: you. There can always be a situation that arises that catches you off guard, and you give up more data to a malicious actor than intended. A recent case of social engineering has caused catastrophic damage to MGM Properties around the world, and all it took was one instance of social engineering and a very important password.  

Social Engineering can take on many forms. One of them we are all too familiar with is phishing. Other examples might include baiting, pretexting, tailgating, and honeytraps.  

Baiting: the act of luring you in by promising you something valuable in return.  
It can include simple things such as popup ads that promise you can win a lot of money if you put it in your email. While a large lump sum of money would enhance your life in significant ways, it is not worth identity theft. 

Pretexting: someone creates a fake persona to get their hands on sensitive data such as passwords, social security numbers, gift cards and more.  
This form of social engineering can come in the form of someone impersonating your boss or the CEO of the company and asking you to go out and buy gift cards or change their password so that they can access their account.  

Tailgating: the act of impersonating a UPS delivery person, an employee that forgot their badge at home, or someone who says they are meeting with the CEO but doesn’t have a way to get to the conference room.  
Tailgating can lead to more physical consequences such as stealing devices from your organization, injecting a virus on the company’s network via a physical connection, or downloading data from an administrator’s computer via usb drive. In all these situations, you should not let the person follow you into the office, and you should ask them more questions before trusting them and letting them inside.  

Honeytraps: A person will create a fake account using stolen photos, start a conversation with you, and try to retrieve sensitive information from you or get you to buy gift cards for them as a nice gesture.  
These types of attacks take place on online dating and social media sites. If someone asks you to give your personal information or buy them gift cards, you should report the account immediately so that others don’t fall into the same trap.  

Social Engineering happens when we least expect it or in stressful instances where we want to act quickly. These tactics are well rehearsed and executed, so if you find yourself in a situation where you believe you are being targeted by social engineering, take a deep breath, and think before you act.