NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
October 21, 2016

Social Engineering Attacks: How Human Error Can Shatter Security Shields

Paul Dusini

As we mentioned in our blog about the top cyber security threats of 2016, proper employee training regarding security best practices is essential for avoiding social engineering attacks such as phishing. As it turns out, employee missteps that occur in many phishing incidents is a common occurrence. With the rapid pace of technological change and the fast-paced lifestyle of many businesses, one factor seems to be constantly overlooked across the board: the human factor.

Addressing the fact that human error is a leading cause of security incidents should be a high-priority concern for businesses this National Cyber Security Awareness Month. In the realm of data/cyber security, people are usually the weakest links and often times it isn’t until there is a serious incident that we become aware of these shortcomings. Companies will put in place security policies that address every aspect of their cyber security landscape, but will either neglect or overlook how simple human error or misdirection can totally negate having such policies.

Social Engineering: The Human Key to Your Network

Social Engineering is possibly one of the oldest and craftiest ways to steal or gain access to confidential information. Even before the advent of the world wide web, people were using social engineering to lie, swindle, and steal whatever they wanted. In the context of information security, social engineering is a method of manipulating people into giving up confidential information and breaking security procedures hinging solely on human interaction.

Here’s how it works: a hacker (or social engineer) calls a company pretending to be an employee in need of confidential information, like financial credentials or a particular password. Social engineering relies on people’s willingness to be helpful, because it’s far easier to convince someone into giving you a password than it is to try and hack into an account. Often times, hackers will leverage information regarding an attack that they already have, like a personal address or the last four digits of a payment card. This makes it more likely for the victim of the attack, usually an unwitting employee, to give up the confidential information to the attacker posing as a trusted source.

Pro Tip: Often times, attackers will look to social media profiles first to obtain personally identifiable information of the individuals they're targeting. Remember these security risks when posting personal information on social media.

The key here is the human factor. Think of it this way: many of us have a much different attitude when we work with people compared to when we work with machines; this is part of human evolution because we are inherently social animals so we respond to social cues. Most people probably don’t give a second thought to handing up on a robo-call without listening to the full message, but if another person is on the end, people will naturally pause and engage in some form of communication (nice or not).

In addition to fraudulent phone calls that heavily rely on human nature, there are other forms of social engineering attacks to which untrained employees become victims and wind up putting their entire business at risk:

Pretexting

Pretexting is a form of social engineering which involves the attacker making claims under a false pretext (i.e. lying) to gain access to sensitive data. The attacker creates a fake persona which may or may not use legitimate references to make the overall person seem legitimate. They then craft a lie to gain access to confidential information, for example, they may say they are in a rush and need the target to forward important financial information. The email message from the fake address may include an attachment that contains malware. Other times, the fake email involves the social engineer impersonating an individual known to a target company and asking for money.

Phishing

Phishing attacks also involve the attacker sending an email from a seemingly legitimate email address. The purpose of phishing is to get the recipient to provide confidential data or tricking them into installing malware by clicking on an unsafe link or attachment. Spear phishing is when a social engineer targets a specific individual.

Baiting

When an attacker leaves a physical device infected with malware for a person to find and connect to their computer, it is known as baiting. The social engineer intentionally leaves the physical device, like a flash drive, in an obvious place where an unsuspecting victim will find it. The victim, completely unaware of the nature of the device, allows their curiosity to get the better of them and plugs the device into their machine. Malicious code on the device will then execute itself once it has detected that it is connected, and proceed to infect, vandalize, steal, or destroy (USB’s known as “USB Killers” or “kill sticks” are specifically designed to fry whatever computer or port that they are plugged into) the victim’s machine.

Preventing Social Engineering Attacks

Making sure that current security policies are adequate to cover human error is only part of the issue because, ultimately, it requires at least some level of involvement from the people who are expected to carry it out. This calls for adequate employee training. According to the Global State of Information Security of 2017, 38% of businesses are making privacy training and awareness among employees a top priority because organizations that prioritize employee training will be better prepared to protect against common social engineering attacks. Don’t let human error impact your business: prepare employees about warning them against the signs and dangers of social engineering attacks.

 

Included Topics

  • Industry Insights

Related Posts

Industry Insights 2 min read
National cybersecurity awareness month 2016: Threats to watch Read More
Cybersecurity Technology 4 min read
Don’t Get Hooked! How to Identify Common Types of Phishing Attacks Read More
Industry Insights 4 min read
Safeguarding Democracy: The Role of Data Security in Elections
Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.