When most people think of cybersecurity, they generally think of data breaches or vulnerabilities. There's another way into personal networks, or even organizations & that is Social Engineering.
What is it?
Social Engineering is taking advantage of humans at its core. For instance, an intruder could pose as IT helpdesk staff for your favorite streaming company and ask you to give information such as their usernames and passwords. Many people wouldn't think twice about volunteering that information, especially if it looks like it’s being requested by a legitimate representative.
Simply put, social engineering uses deception to manipulate individuals into enabling access or divulging information or data.
Types of Social Engineering Attacks
Pretexting is just that - they use some sort of pretext to gain attention and hook the victim into providing information. For instance, an internet survey might start looking innocent but then ask for information such as your email, cell number, etc. Or maybe even someone piggy backing off a post you publically made, harmlessly expressing your interest in a new car - stating they're apart of a dealership & would love to get you into your new favorite ride! So you happily offer them your full name, address, and maybe even some financials.
Baiting is creating some kind of trap. Generally, involving a USB drive. Typically, nefarious characters might create a payload to automatically run when a USB drive is inserted into a machine, then drop the device into a densely populated area where someone with a curious mind picks it up & plugs into into their personal device & suddenly, all of their files are encrypted & they have to pay a large sum of money or risk losing all of their personal items.
Quid Pro Quo
This form of SE (Social Engineering) attack makes the victim believe they are receiving something in return for their sensitive information. ‘Scareware’ works in this way - promising users an update to deal with a serious security problem when in fact, it's the scareware itself that's the malicious security threat.
Contact Spamming & Email Hacking
This type of attack involves hacking into an individual's email or social media accounts to gain access to contacts. Contacts may be told the individual has been mugged and lost all their credit cards and then ask to wire money to a money transfer account. Another very common one is the 'friend' may forward a 'must see video' which links to malware or to a keylogging Trojan.
How to Avoid Social Engineering Attacks
Social engineering attacks are particularly difficult to counter because they're expressly designed to play on natural human characteristics, such as curiosity, respect for authority, and the desire to help one's friends. There are a number of tips that can help detect social engineering attack.
Check the source
Take a moment to think about where the communication comes from; don't trust blindly. A USB stick turns up on your desk, and you don't know what it is; a phone call from out of the blue says you've inherited $5 million, or an email from your CEO asking for a load of information on individual employees? All of these sound suspicious and should be treated as such.
Verifying the source isn’t difficult. For instance - with an email, look at the email header and check against valid emails from the same sender. Look at where the links go, spoofed hyperlinks are easy to spot by hovering your cursor over them (do not click the link). Check the spelling - banks have whole teams of qualified people dedicated to producing customer communications - an email with glaring errors is likely a fake.
If in doubt, go to the official website and get in contact with an official representative, as they will be able to confirm if the email/message is real or fake.
Check for a sense of urgency
Social engineering often depends on a sense of urgency. Attackers hope their targets will not think too hard about what's happening. Taking a moment to think can deter these attacks or allow you to verify whether or not they're real.
If a representative from some company is reaching out, call their official number or email their known-good support email - rather than giving data out on the phone or clicking on a link. Use a different method of communication to check out the source's credibility. For instance, if you get an email from a friend asking you to wire money, text them or call them to verify it’s really them.
Implementing a zero-trust strategy in your daily technology use, along with other good practices, can be the best deterrent. We've written a comprehensive article on this, which you can view here.
Please sign in to leave a comment.