Social engineering is the art of manipulating others to gain access to their computer, IT systems, networks, or physical locations, typically for financial gain. It’s the art of bypassing an organization's security by exploiting the humans who work for that organization. Because security technology can be highly effective at keeping them out, hackers typically begin an attack on an organization through its humans. Humans are easier to manipulate and will try to help someone they think is a colleague because it is socially acceptable to do so. Most of the time, social engineers pose as someone you are likely to trust, like a bank manager, a customer support agent, or a colleague from another department or branch. They persuade targets to drop their guard and reveal information that can help them access systems or data.
The vast majority of social engineering attacks are conducted online. By being aware of the threat and looking for signs you can stop them dead in their tracks. Look out for:
- Phishing - Most are familiar with phishing emails, where an email claims to be from someone you trust. An attacker posing as a bank, government, or service provider tries to persuade you to enter login details, click on a URL, or download an attachment containing malware.
- Spear Phishing - Similar to phishing but aimed at people in positions of authority, known as high-value targets. Attackers can spend a long time working out the best way to attack; they do things like hack into an assistant’s computer to gather information and email the target asking for their passwords or login information.
- Watering Hole - It is easy to be suspicious of those who approach you, but if we approach them, we are not as suspicious. This is the basis of a watering hole. The attackers gain control over an online resource you trust, like a website or login page, and wait for you to access it. Then, when you type in your credentials, they steal them or infect you with malware. These are more complicated attacks because they actually involve two attacks: one on the trusted resource and another on you. Because they are more sophisticated in nature and rely on you coming to them, they are more likely to be successful and less likely to arouse suspicion.
- Typosquatting - Typosquatting works because people do not pay as much attention as they should to URLs, especially when they look right at a glance. Typosquatting is when the attackers register a similar URL to (for example) the URL of a large bank but spelled slightly differently. Should you be fooled into visiting this site via an email that looks authentic, or accidentally type the URL wrong and end up there, the attacker will be waiting for you. With a fake website that looks like the real thing, they are prepared to harvest your credentials and steal your money or access to the resource.
HOW CAN YOU PROTECT YOURSELF AGAINST SOCIAL ENGINEERING ATTACKS?
By being aware and suspicious of anything that feels out of place, you can prevent yourself from becoming a victim of social engineering.
Furthermore, you become a robust first line of defense for your organization.
Always Think Before Clicking - Social engineers like to use a sense of urgency to provoke action before the target can think. When you get an urgent message, think twice! Check the URL and the source of the email before clicking anything. Even better, verify that the alleged sender actually sent it with a quick call or text message to ask them.
Check Your Sources - Be wary of unsolicited emails and always check the address domain links to verify that they are from the right source. To go a step further, check that the person sending it to you is actually an employee of the organization they purport to be with a search engine. These are easy checks to avoid getting spoofed by a fake sender.
Don’t Download Strange Files - If you do not know who sent it to you, if you did not expect to receive an email from that sender, or are unsure if you should look at the file, it likely isn’t safe to open. Taking this stance by default is a great way to lower the risk of being caught out by a bad attachment with a malware payload.
You Haven’t Won a Prize - If it’s too good to be true, it probably is, especially if you do not remember entering a contest or competition. Unsolicited emails baiting you to open them with the promises of money or a prize are almost certainly scams - don’t fall for them!
Ignore Help Requests - Ignore any requests for help if they come from someone who is allegedly tech support until you have verified the sender. Ignore any offers to help you from the same kind of sources. Always check that the sender is legitimate before acting.
Adjust Your Spam Filter - Modern email services have great spam filters to stop your email inbox from overflowing. Be sure to set your filters to high to keep potentially risky emails from arriving in your inbox. You should check your spam folder regularly to make sure that legitimate emails are not getting stuck in there.
Remember that social engineering attacks prey upon you as a human and your tendency to be unsuspicious of anyone at work. Trust your instinct and be aware; it’s only a matter of time before you are targeted by a social engineer who wants to attack your business.