What is Social Engineering?
Social engineering attacks use deception, coercion, and similar techniques to induce their target to do what the attacker wants. The attacker may pretend to be a colleague, an authority figure, a trusted vendor, or someone else that the target would trust and want to help. Alternatively, the attacker could threaten to expose sensitive or damaging information if the target doesn’t comply with their wishes or could offer a bribe for the target’s assistance.
Social engineering attacks can be performed in various ways. They may involve computers, use the phone, or happen in person. For example, pretending to be a mail carrier or asking someone to hold the door are classic examples of social engineering attacks designed to gain physical access to a secure area.
What is Phishing?
Phishing attacks use malicious messages to get the target to do the attacker’s bidding. Often, these messages come with an embedded link or an attached file with malicious content. If the user clicks on the link or opens the file, they may be taken to a webpage that steals sensitive information or install malware on their computer.
However, not all phishing attacks require this malicious link or file. Some are designed to trick the user into taking some action with no malicious content involved. For example, business email compromise (BEC) attacks often involve fake invoices for services that were allegedly performed for the company. These invoices don’t contain malware, but, if the recipient believes and pays the invoice, then the money goes to the attacker.
Phishing is commonly associated with emails, but any messaging platform can be used to perform these attacks. Phishing over text messages is named smishing (for SMS phishing), and social media, corporate collaboration platforms, and similar solutions can also be used to perform phishing attacks.
Social Engineering vs Phishing
Social engineering and phishing are related concepts. In fact, phishing is a particular type of social engineering attack.
Social engineering refers to the techniques that an attacker uses to induce their target to do the attacker’s bidding. In the case of a phishing attack, the attacker uses some form of messaging platform to send links, malicious attachments, or other types of deceptive, enticing, or threatening content to the recipient in order to get them to do the attacker’s bidding.
Other Types of Social Engineering Attacks
Phishing attacks are the most common type of social engineering and several variations, including spear phishing and whaling. However, there are also other forms of social engineering attacks, including:
- Piggybacking/Tailgating: This is a physical social engineering attack where the attacker gains access to a secure area by tricking a legitimate employee into letting them in.
- Pharming: Pharming attacks redirect legitimate URLs to an attacker-controlled site via DNS hijacking or other techniques.
- Pretexing: Pretexting is when an attacker pretends to be someone else and is a technique used in a range of potential attacks.
Baiting: In this attack, the attacker promises something valuable to the target in exchange for providing sensitive information or some other action.
How to Prevent Social Engineering Attacks
Organizations can implement a wide range of protections against social engineering attacks, including the following:
- Employee Training: Social engineering attacks commonly rely on deception and trickery. Training employees to recognize these attacks and respond correctly reduces the risk of a successful attack.
- Email Security: Phishing is one of the most common forms of social engineering attacks. Email security solutions can identify and block malicious emails before they reach an employee’s inbox.
- Account Security: Social engineering attacks like phishing are often designed to steal login credentials for users’ accounts. The use of multi-factor authentication (MFA), zero-trust network access (ZTNA), and similar solutions can reduce the risk that an attacker can access these accounts and the potential damage that they can do if they succeed.
- Endpoint Security: Social engineering attacks are also often used to deploy malware on corporate systems. Endpoint security systems can prevent these malware infections, eliminating the threat to the business.
- Web Security: Malicious links in phishing messages can direct users to malicious websites that steal data or deliver malware. In-browser security can identify and block malicious content from reaching a user’s device.
- Data Loss Prevention (DLP): Social engineering attacks are often designed to steal sensitive data. DLP solutions can identify flows of sensitive data to unauthorized parties and block the data leakage.
- Separation of Duties: BEC and other social engineering attacks may be designed to trick a user into taking harmful actions. Breaking critical processes — such as paying invoices — into multiple stages owned by different employees forces an attacker to trick multiple targets, reducing their probability of success.
Prevent Social Engineering Attacks with Check Point
Social engineering attacks come in various forms. Learn more about the social engineering threat in Check Point’s Social Engineering ebook.
By far, phishing is the most common social engineering threat, and email security solutions are an effective defense. Read more in the Forrester Wave for Enterprise Email Security 2023. Check Point Harmony Endpoint offers a range of features designed to minimize the risk of social engineering and phishing attacks. See what it can do for your organization with a free demo.
Feedback