What is Social Engineering?
Social engineering is the art of manipulating someone to get something. Social engineering is not always bad. However in this article, we'll focus on social engineering in the context of information security. Most huge data breaches nowadays have a social engineering component - Successful attacks use highly sophisticated social engineering augmented by detection evasion techniques.
Types of Social Engineering Attacks
1. Email from a friend/colleague/family member
These attacks abuse the trust between two individuals. One person pretends to be someone they're not.
Stranded abroad variant
It's not uncommon to receive an email that purports to be from someone you know and trust. Sometimes it turns out this email was sent by a person with criminal intentions. The email might inform you that Sue is stuck in Barcelona and had her purse stolen. She's at the embassy and just needs money to get a plane ticket to fly back home. If you receive such an email, try to get in touch with Sue via another communication medium, Skype, Whatsapp, Phone etc...
That will allow you to confirm whether that the email was really sent by her. This in turn will help ensure you don't divulge confidential information or send money to cyber criminals. If email contact is the only option, report it to your IT/ Information Security department. They'll know how to deal with it.
Funny/interesting link variant
We all know this one, “Wow! This is the most amazing display of natural kindness that I have ever seen. Check it out.”. You then click on the link and get directed to a video. In the meantime, you've just lost control of your computer. If this is a computer on the work network this spells trouble. Your computer can now be used as a beach-front to attack the rest of your company's internal network.
2. Phishing attempts
These attacks abuse the trust that we have for official, above-reproach institutions.
DHL/Fedex package delivery failure variant
You might receive an email informing you that DHL was unable to deliver a package at your home, if you could just click on the following link and...What you should do is: STOP! Then ask yourself whether you were expecting any package, if not, forget about it. If it is important enough, the sender will directly get in touch with you, as opposed to via DHL.
Renowned charity/fund-raising organization variant
If it's important to you, ignore all the information in the email, go and google for that Charity's details, call them and verify with them.
Urgent problem, needs instant resolving variant
Try to reach out to the company via telephone or by walking into their local office. Once again, if it's important enough, the company will have many ways of reaching out to you.
You've won the lottery variant
If you win the lottery, shouldn't you have played first, or bought a ticket? Contact the lottery via telephone. Ignore the email, otherwise you risk calling a phone number controlled by the scammers.
Your help is needed for some disaster relief variant
Within hours of any natural disaster scammers start targeting individuals all over the world. They send fake emails looking for help, resources and so on. You can protect yourself from these phishers and scammers. However there’s only so much you can do if a service you use is compromised.
Here are some basic preventive measures you can take:
- When in doubt, ignore it!!!
- Take a deep breath and think.
- Do some research, use alternate means of communications.
- Report and then delete all requests for private, company or financial information.
- Report then ignore requests for help. If it's legitimate, you'll hear of it officially.
- Do you have to click on that link?
- Use different logins and passwords for different services.
- Use two-factor authentication
- Use credit cards with care
- Use phishing simulation tools
These steps won’t prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimize the damage possible and also give you more peace of mind that you’re doing as much as you can to protect yourself.
Security awareness alone is not enough to stop users clicking on malicious links and being manipulated into entering login details and other sensitive information. Phishing scammers are masters of clever behavioral manipulation. Like all approaches to security threat mitigation, a proactive and layered approach works best. Enterprises must shore-up security awareness training using powerful and smart tools that prevent a user being taken to a spoof website even if they do click on a malicious link. These tools should include the use of a Web Content Filtering platform. This prevents employee from navigating to dangerous websites and reduces the chance of corporate data breaches and other cyber-attacks.
To find out more about some of the key protections you can put in place to improve your resilience against social engineering attacks, contact the TitanHQ team today.