How to avoid a social engineering attack
Most of us conceive of cyber-security as regarding defending ourselves against hackers that target data networks by exploiting technological flaws. However, there is another route into organizations and networks: exploiting human vulnerability. This is called social engineering, and it entails deceiving someone into disclosing information or granting access to data networks.
An intruder may, for example, impersonate IT support professionals and seek users for information such as usernames and passwords. And it’s astonishing how many individuals are willing to give such information away, especially if it appears to be sought by a reputable person. Social engineering is using deceit to persuade someone to give up access to information or data.
Types of social engineering attacks
Social engineering assaults come in a variety of forms. As a result, it’s critical to comprehend both the definition and the mechanics of social engineering. It’s much easier to recognize social engineering attempts once you understand the basic modus operandi.
Baiting entails setting up a trap, such as a malware-infected USB drive. Someone interested in what’s on the stick inserts it into their USB drive, compromising the system. Indeed, there is a USB stick that may kill computers by charging itself with energy from the USB drive and then releasing it in a fierce power surge, causing damage to the system where it is plugged in.
This assault employs a pretence to attract the victim’s attention and entice them into supplying information. For example, an internet survey may appear to be completely benign at first but subsequently, ask for bank account information. Alternatively, someone with a clipboard may appear and claim to be doing an internal system audit; however, they may not be who they claim to be, and they may be out to steal vital information from you.
Vishing and Smishing
These social engineering attacks include variations of phishing, such as ‘voice fishing,’ which is simply dialling a number and requesting information. The offender may impersonate a coworker, for example, by claiming to be from IT support and requesting login credentials. Smishing, on the other hand, utilizes SMS texts to try to gain this information.
Quid pro quo
Fairtrade is not robbery, they argue, yet it is in this situation. Many social engineering assaults lead victims to feel they would receive something in exchange for providing data or access. Scareware operates in this manner, offering consumers an update to address an urgent security issue when the scareware is the actual security danger.
Email hacking and contact spamming
This form of assault entails breaking into someone’s email or social media accounts to acquire access to their connections. Contacts may be informed that the person has been mugged and has lost all of their credit cards, and they will be asked to wire money to a money transfer account. Alternatively, the ‘friend’ may send a must-watch video’ that contains a link to spyware or a keylogging Trojan.
HOW TO AVOID SOCIAL ENGINEERING ATTACKS
Social engineering attacks are specifically meant to play on inherent human qualities like curiosity, respect for authority, and the desire to aid one’s friends. They’re extremely tough to stop. There are a few points that can aid in the detection of social engineering attacks.
Check the source
Consider where the message is coming from; don’t just take it at face value. You find a USB stick on your desk and have no idea what it is. You get a call out of the blue telling you that you’ve inherited $5 million? An email from your CEO requesting a slew of data on certain employees? All of these seem suspicious, and they should be taken seriously.
It’s not difficult to verify the source. Examine the email header and compare it to other legitimate emails from the same sender, for example. Examine where the links lead – faked hyperlinks may be easily identified by hovering your mouse over them (but don’t click the link!) Check the spelling: banks have entire teams dedicated to creating customer communications, so an email with obvious faults is almost certainly a fake.
What do they know about it?
Is there any information you’d expect the source to have, such as your entire name? Remember that if your bank calls you, they should have all of your information on record and will always ask you security questions before enabling you to make changes to your account. If they don’t, the chances of it being a fraudulent email, phone, or message are much higher, and you should be cautious.
Break the loop
A feeling of urgency is frequently used in social engineering. Attackers hope their victims won’t think about what’s going on too much. So just pausing to think can avert these attacks or expose them for what they are: forgeries. Rather of giving out personal information over the phone or clicking on a link, call the official number or visit the official website URL. Check the source’s reliability through a different means of communication. For example, if you receive an email from a buddy requesting you to send money, text or contact them to confirm that it’s them.
Ask for ID
Bypassing security to gain access to a facility while carrying a huge box or armful of files is one of the simplest social engineering approaches. After all, someone will hold the door open for you. Don’t be fooled by this. Always request identification.
The same may be said for other strategies. Checking the caller’s identity and phone number, or asking, “Who do you report to?” Should be a standard reaction to information requests. Then, before sending out any sensitive information or personal data, verify the organization’s chart or phone directory. If you don’t know the person who is asking for the information and still don’t feel comfortable sharing it, tell them you need to double-check with someone else and will contact them later.
Make effective use of a spam filter.
You might wish to change the settings in your email software if it isn’t filtering out enough spam or classifying emails as questionable. Spam filters that work well employ a variety of factors to decide which emails are likely to be spam. They may be able to identify suspicious files or links. Maintain a blocklist of suspect IP addresses or sender IDs, or analyze message content to decide which are likely to be fraudulent.
Is this a feasible circumstance?
Some social engineering assaults aim to fool you into not being analytical, so taking the time to examine if the situation is realistic can help you spot a lot of them. Consider the following:
Don’t go too fast
When you detect a sense of hurry creeping into a conversation, be very cautious. This is a common tactic used by malevolent actors to prevent their victims from thinking things through. If you’re under time constraints, take it slowly. To slow things down and allow yourself time to ponder, say you need more time to obtain the information, you need to ask your boss, or you don’t have the correct details with you right now. When social engineers realize they’ve lost the edge of surprise, they’re less likely to press their luck.
Make sure your gadgets are safe.
It’s also critical to safeguard devices such that a successful social engineering attack is restricted in what it can do. Whether it’s a smartphone, a basic home network, or a large business system, the core concepts remain the same.
Maintain the latest versions of your anti-malware and anti-virus software. This can help prevent malware from being installed because of phishing emails.
Update software and firmware regularly, especially security patches.
Don’t run your phone, network, or computer in administrator mode:- Even if a social engineering assault obtains your ‘user’ account password, it will not allow them to change or install software on your machine.
Use separate passwords for various accounts:- You don’t want a social engineering assault to gain access to all of your other accounts if they have your social media account password.
Use two-factor authentication for key accounts, so that simply knowing your password isn’t enough to gain access. Voice recognition, the usage of a security device, fingerprints, or SMS confirmation codes are all possibilities.
If you’ve recently given out your password to an account and suspect you’ve been ‘engineered,’ change it right away.
UK Cyber Security Ltd is here to help
Please check out our Cyber Essentials Checklist
Please check out our Free Cyber Insurance
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us