Don't Become the Next Victim of a Social Engineering Attack

8/23/2022 - By Charlene Fyda, CISA

When it relates to information security, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes - and it can come in many different forms. 

5 of the Most Common Social Engineering Tactics 

One of the most common attacks today is phishing. Anyone can easily be tricked into clicking on a link within a phishing e-mail because they look almost identical to real emails. Many companies warn associates about “fishy-looking” emails, and it is said that nearly 85% of all organizations have been targeted by malicious e-mails, so it can be a challenge to differentiate them.

Another social engineering tactic is called tailgating. This attack is when an unauthorized person tries to Follow an employee into a restricted area or “piggybacking” when someone accesses a reserved area with the permission obtained by the deception of an authorized person. It can start with a combination of sending a phishing email to an authorized user by doing simple internet searches such as LinkedIn or Facebook then suiting up in a fake uniform and fake badge and ’piggybacking’ to gain access to secured areas such as a server room. 

Next, there is pretexting. Pretexting is where an attacker tries to present oneself as someone else to obtain confidential information. The goal is to try to build trust with the victim.

Baiting is another form of social engineering. Who doesn’t like to receive free stuff or get a good deal on something? Baiting uses the promise of an item or good to entice victims. Another alternative may be to try to exploit curiosity. You may want to drop a USB drive somewhere in a parking lot, hoping someone picks it up and gets curious enough to see what’s on it and insert into their computer and inadvertently infect their system with malware.

Why Are Community Banks Vulnerable?

Community Banks are known for their quality customer service and friendly atmosphere where everyone knows your name. When you walk into a community bank, you are probably greeted right away and asked what they can help you with. Keeping that friendly service is great, but at the same time, bank employees should always have their guard up and be firm. It is better to be prepared and nothing happens, than to not be prepared and the worst happens. 

Ways to Prevent Attacks 

If someone is trying to gain access to areas in a bank, the employees need to verify the information before access can be granted to a secured area. Some ways to verify information includes calling the IT department to ask if access is allowed into the secured area and if they aware of the visit. If it is a legitimate visit, I would recommend that bank employees stay with the person while they perform their work and not leave them alone throughout the process. If you receive a suspicious email, you should notify the IT Department or the person the e-mail appeared to come from and verify if the e-mail was sent by them. Never trust an email only as a form of authorization because the email can easily be spoofed.

These may seem counterintuitive, but oftentimes people get so wrapped up in their work or processes that they overlook these simple but important tools. Be diligent and with the help of our Saltmarsh Financial Institution Consulting team, you may not become the next victim of a social engineering attack. 

About the Author | Charlene Fyda, CISA

Charlene is a senior information technology consultant in the Financial Institution Advisory Group at Saltmarsh, Cleaveland & Gund. In her role, Charlene performs IS reviews and assists with vulnerability assessments. for the firm’s financial institution clients. Prior to joining Saltmarsh, Charlene worked as a network administrator for a local bank. She has various certifications specific to financial institutions and information technology services has worked in the industry for over 22 years.

Related Posts