Social engineering attacks carried out by insiders
- Extracting sensitive company information such as passwords, trade secrets, or project plans from the inside through social rapport and better-targeted penetration attempts and delivering the acquired information to third parties.
- Using confidential information as leverage for finding a new job or achieving a better position inside the company. This may occur due to exploitable flaws in employment contracts or true coercion amongst numerous other routes.
- Leaving the organization with login information and confidential information and using it for malicious purposes. This sort of attack is very difficult to defend against and is especially worth watching out for if any employees are thought to be disgruntled.
Social engineering attacks carried out by outsiders
- Malicious outsiders very often pose as company contractors to extract confidential information from gullible employees. They can do that either through phone calls, emails, or by physically gaining access to company premises.
- Social engineering often relies on the strong confidence that practitioners affect and on the trust that is usually placed in external contractors, especially if they come from reputed companies such as Cisco or IBM.
- Information about employees found on social networking sites can also be a method of gaining the victim’s trust in order to gather sensitive information from him/her.
- Malicious outsiders can also use malware-laden programs or executables hidden in email attachments. Once such a trojan gets inside an employee’s computer, it can act in various ways, such as sending copies of documents or spying on the employee’s computer activity.
- Phishing attacks are endemic. They include the use of e-mails that appear to originate from a trusted source to trick an employee into entering valid credentials on a fake website.
Sharing too much information on social media can enable attackers to guess passwords or extract a company’s confidential information through posts by employees. Security awareness is integral in preventing such incidents. Developing policies, training employees, and implementing measures, such as warnings or other disciplinary actions for repeat or serious incidents, will mitigate the risk of social engineering attacks.