I’ve heard this phrase used a few times in class and was curious what a social engineering attack actually entails. It seems that it can come in many forms such as:
- Phishing
- Ransomware
These are the two most common forms of social engineering attacks, according to the article below.
In phishing attacks, a victim is commonly lured into opening an email attachment, which downloads some form of malware onto the machine. For example, an employee at a company or government agency could receive an email from someone claiming to be from IT requesting that the employee view an attachment.
In ransomware attacks, a user is tricked into downloading a payload that corrupts or encrypts a user’s hard drive. The perpetrators remedy the problem after the victim pays them, usually in bitcoin.
As we’ve discussed in class, the best way to prevent these kinds of attacks in a company are through employee training. The more aware people are of the strategies criminals employ, the better.
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Hi Connor
Thanks for sharing this information to us. Hackers use social engineering a lot to get usernames and passwords from employees. Lack of security awareness is the mail reason why the employees will disclose the private information. Therefore, is it important to train the employees to not click unknown links.
Hi Connor,
Thank you for your sharing this week. Social engineering attack usually resulted by people’s wrong judgement. So it is important for company to consider awareness training since it is the most effective way to reduce the possibility of social engineering attack.
I found a very useful phishing data, insights and advice report that published by wombat security – The 2018 State of Phish.
Here is some important point from the report:
1. 76% of organizations said they experienced phishing attacks in 2017.
2. Nearly half of infosec professionals said that the rate of attacks increased from 2016 to 2017.
3. The impacts of phishing were more broadly felt than in 2016, with an 80+% increase in reports of malware infections, account compromise, and data loss related to phishing attacks.
4. UK organizations are more likely than their US counterparts to rely on once-a-year training models and passive security awareness training tools (like videos, newsletters, and email notifications). US organizations — which favor interactive training methods delivered on a monthly or quarterly basis — are more than twice as likely as UK organizations to report quantifiable results from their efforts.
5. Smishing is a threat to watch in 2018. Our data shows that average failure rates on simulated smishing attacks are the same as those on email phishing tests. However, just 16% of global technology users surveyed were able to correctly identify the definition of smishing in a multiple-choice query.
Report link:
https://www.wombatsecurity.com/state-of-the-phish?hsCtaTracking=280f71ef-55ac-412e-a03f-3e1eb9667a63%7C0e66ccbd-d92e-45b3-929f-b8d55db0e5b1