What is Social Engineering?
Social engineering is a method that threat actors can and will use to try to gain access to sensitive information. This could be passwords, sensitive documents, money, or access to locations they shouldn't have access to. Social engineering is often used as part of scam tactics, or may be done over email (phishing,) voice (vishing,) or text message (smishing.)
So what kind of tactics do these people use? Well, it can vary based on their objectives and the unique scenario. In many cases, the social engineer will often try to look important or official - whether it be in who they claim to be or how they look. From there they'll often ask for help - again pretending to be someone they're not. This could be an IT person asking for a password for 'critical maintenance' or a new hire asking for help. This fundamentally exploits a flaw in human psychology - after all, we want to be helpful and someone that sounds authentic is asking for help.
Once they gain access to the resource they're after the consequences can vary. They could steal money or sensitive data, or simply sabotage the company they've infiltrated. Sounds like something out of a spy movie right? Well, it's more common than you'd think. In fact, in September of 2023, the ransomware group BlackCat/ALPHAV used these tactics, and in less than 10 minutes compromised MGM Resorts.
What can you do about this? A simple, yet effective defense against this is the idea of 'trust but verify.' We inherantly want to believe that the person asking us to do something is authentic and we'd like to help them. But simply taking a moment to authenticate who they are before proceeding can make a huge impact.
One way we can do this is when someone contacts us (whether it be via phone, email, or text) is to simply call the person or company they claim to be and ask if it's legitimate. You'll want to use the organization's publicly disclosed number though - not any number the person gives you.
Another is if the person is asking you to help them gain physical access to a location is simply to follow any established procedures your company may have prior to allowing them in.
And lastly, a very simple thing you can do is if you see something or hear something that seems out of place, report it to an appropriate person to validate. It may seem like this could be a waste of time, but validating a claim is much easier for security teams than dealing with the consequences of a social engineer.