diff --git a/content/cybersecurity/concepts/social-engineering/social-engineering.md b/content/cybersecurity/concepts/social-engineering/social-engineering.md index ede7e5e30f9..aaa8782abe5 100644 --- a/content/cybersecurity/concepts/social-engineering/social-engineering.md +++ b/content/cybersecurity/concepts/social-engineering/social-engineering.md @@ -1,25 +1,42 @@ --- Title: 'Social Engineering' -Description: 'Social engineering is when an attacker uses human emotion (usually fear and urgency) to trick the target into performing an action, such as sending the attacker money, divulging sensitive customer information, or disclosing authentication credentials.' +Description: 'Social engineering is the psychological manipulation of people into performing actions or divulging confidential information by targeting the "human element".' Subjects: + - 'Computer Science' - 'Cybersecurity' Tags: - - 'Cybersecurity' -CatalogContent: - - 'paths/fundamentals-of-cybersecurity' - - 'introduction-to-personal-digital-security' + - 'Cyber Attacks' + - 'Security Principles' + - 'Best Practices' --- -**Social Engineering** is when an attacker uses human emotion (usually fear and urgency) to trick the target into performing an action, such as sending the attacker money, divulging sensitive customer information, or disclosing authentication credentials. +**Social engineering** is the psychological manipulation of people into performing actions or divulging confidential information. Unlike traditional cyber attacks that focus on technical vulnerabilities, social engineering targets the "human element" to gain unauthorized access to systems or data. It often exploits human emotions, such as fear and urgency, to trick targets into disclosing sensitive information like authentication credentials or credit card details. + +## Common Techniques + +Social engineers use a variety of tactics to deceive their targets. These often involve creating a sense of urgency, fear, or trust + +- **Phishing**: Sending fraudulent communications (usually emails) that appear to come from a reputable source to steal data or install malware. +- **Pretexting**: Creating a fabricated scenario (a pretext) to build trust and steal a victim's personal information. +- **Baiting**: Using a false promise to pique a victim's greed or curiosity, such as leaving a malware-infected USB stick in a public place. \* **Quid Pro Quo**: Promising a benefit in exchange for information, such as offering "technical support" in exchange for login credentials. +- **Tailgating**: Physically following an authorized person into a secure location. + +## Social Engineering in Action + +A typical example is an individual receiving an email claiming their account has been compromised. The message states the account will be deactivated unless they click a link to confirm their credit card details. This link navigates the victim to a fake website designed to harvest their sensitive information. + +## Prevention & Defense -## Social Engineering In-Use +Protecting against social engineering requires a combination of skepticism, education, and established security protocols. -An individual might receive an email from an unsuspecting user telling them that their account has been compromised and will be deactivated unless they click the link in the email and confirm their credit card details. Once the individual clicks the link in the email, it navigates the individual to a fake website where they can insert their credit card details. +### How Businesses Protect Themselves -## How Do Businesses Defend Against Social Engineering Attacks? +Businesses must educate and train employees across the organization to understand that they should not click on suspicious links or accept unusual offers, regardless of how legitimate an email appears. -Businesses educate and train employees across the organization. Employees at all levels should understand not to click on suspicious links or to accept unusual offers, despite how legitimate an email appears to be. The following are some quick tips to remember: +### Quick Tips for Individuals -- Think Before Clicking: Attackers employ a sense of urgency to make a person act first and think later in social engineering attacks. If a person receives an email with a sense of urgency that seems unusual, that person should take a moment to check if the source is credible first. -- Research The Sources: Check the domain links to see if they are real. Usually, a typo/spelling error is an indicator that something isn’t right. Hovering a cursor on a link before a person clicks on it will reveal where the link will send them. -- Be Careful Downloading: If a person does not know the sender, that person shouldn’t open the message. Cybercriminals will often use email attachments to spread [viruses](https://www.codecademy.com/resources/docs/cybersecurity/malware/virus) and other forms of [malware](https://www.codecademy.com/resources/docs/cybersecurity/malware). +- **Think Before Clicking**: Attackers use urgency to make people act first and think later. Always verify the source of an urgent request. +- **Research The Sources**: Check domain links for spelling errors. Hover your cursor over a link to reveal the true destination URL before clicking. +- **Be Careful Downloading**: If you do not know the sender, do not open the message or attachments, as they may contain viruses or malware. +- **Multi-factor Authentication (MFA)**: Use MFA to ensure that a stolen password alone is not enough for an attacker to gain access. +- **Verification**: Always confirm the identity of someone requesting sensitive information through a secondary, trusted channel.