According to Jenny Radcliffe, director and head of training and consultancy at Jenny Radcliffe Training, social engineering attacks are more complex than ever before as security technologies develop.
Social engineering, aimed at exploiting people as the weakest link in the information security chain, takes many forms including physical access to buildings, email phishing and telephone calls.
This approach is becoming much more common as organisations deploy a wider range of effective information security systems and controls, particularly as a way of getting inside an organisation's network.
Radcliffe said: "But we are also beginning to see a new breed of attackers who appear to be trained in psychology, and are using that in new and effective ways to get people in organisations to help them circumvent security controls.
"Attackers are no longer concerned with the technical controls, but instead get insiders to help by engaging with them and building trust relationships."
Radcliffe believes these attacks are beginning to be more informed and backed by a level of complexity and planning that has not been seen before, which includes building a profile of the target organisation and its employees using sources such as corporate websites, industry forums and social media sites including Facebook, Twitter and LinkedIn.
Radcliffe said: "Attackers will then seek to build a trust relationship with an individual or individuals within the organisation over a long time, using the principles of influence and other academic ways of building trust."
According to Radcliffe, serious attackers are also now looking at organisations as if they were people, and examining their culture or psychology to determine what weaknesses can be exploited.
She said: "For example, many large enterprises tend to bully smaller businesses in their supply chains and make the mistake of assuming smaller organisations will want to do business with them.
"Arrogance like that makes organisations predictable, which means that social engineers can behave as expected, and if an attacker can be the person they expect, they tend to trust that familiar persona the attacker is presenting without question, and therein lies the vulnerability."
Return to internet news headlines
View Internet News Archive