In this internet age, we have to deal with many threats, ranging from adware and drive-by downloads to phishing and scareware. Social engineering is at the center of it all, a psychological deception for people to divulge confidential data.
But why should you care? For starters, no one wants to lose their hard-earned money or find their identity linked to an unknown crime. These are just a few dangers of not protecting yourself against social engineering.
Types of social engineering attacks
There are so many kinds of manipulative techniques. You may be wondering, what are the different types of phishing attacks? What is baiting; what about pretexting?
Let’s discuss all the most common social engineering attack types.
This type of attack comes in various forms. Standard phishing regularly happens via email. The modus operandi for email phishing is similar to other types of phishing. The attacker sends a message to someone alerting them about an urgent action they need to take on a link.
For instance, it could be from a so-called PayPal, stating that their account has been compromised. A phishing email could even be about an unexpected prize reward. Regardless of the content, the aim is to get the target to provide certain data like login and card details.
Unlike regular phishing, where hackers target random individuals, spear phishing focuses on a specific person or organization. The phisher performs prior research, which can take weeks. However, they can tailor their message according to the victim’s familiar characteristics, increasing the chances of a successful attack.
Whaling is a spear phishing attack aimed at high-profile targets and senior executives like CEOs. Common tricks include fake customer complaints or subpoenas. It can be a spoofed email directed at other employees to wire money to an offshore account.
Voice phishing (or vishing) is another social engineering hack performed via the phone. It typically uses voice-over IP, where the phisher dials many numbers and plays automated recordings.
These will make bogus claims that the victim’s account has been compromised through fraud. To make the assertion believable, the caller ID will look like the real number of the imitated organization. Afterward, the person that received the call will be directed to a place prompting them to enter sensitive information.
SMS phishing (or smishing) is the SMS-based equivalent of email phishing. It involves a user receiving a message with a link or a request to contact an email address. The end goal is for the victim to give up their private data.
If you’ve seen a message that says, “Your computer may be infected with harmful spyware programs,” that could be scareware. This type of malware alarms users with a fake virus threat before suggesting they download or buy phony software to remove it. Ironically, this software could be malware itself.
This social engineering attack aims to create a ‘pretext,’ an invented scenario, or elaborate story with the target by impersonating a familiar entity. This engagement increases trust between them and the attacker to the point where they can divulge the criminal’s desired content.
Although things like phishing and pretexting are a form of bait (albeit online), baiting often happens in the real world. This is an example of a social engineering attack that uses physical media like USB flash drives and CD-ROMs. These are placed in conspicuous public places with attractive labels. Here, passers-by snatch them up only for their devices to be infected with malware or trapped to reveal personal information.
A honeytrap (or honey trapping) is common on dating sites. Here, the criminal pretends to be an attractive person, befriending their target to the point of having a close interaction. They can exploit the victim through this relationship by extracting personal information, borrowing money, or doing other manipulative things.
Why do social engineering attacks happen?
The answer is simple. Cybercriminals can use brute force when seeking access to a site, computer system, or network. But, of course, there is often too much guesswork involved here, not to mention the enormous time and resource consumption.
So, the next best thing is using social engineering techniques that simplify hacking. Ultimately, cybercriminals understand that human nature is the weakest link in online security rather than the technology behind it.
Emotions of fear, anxiety, guilt, greed, and excitement can lead people to rushed actions. Attackers know and can exploit this with a bit of charm, intimidation, or persuasion.
How to prevent social engineering?
Here are some tips to follow so you can protect yourself from social engineering.
Never give up sensitive data
This is one of the first rules in social engineering security. If the need does arise, always authenticate the person or organization you’re dealing with to ensure they aren’t fraudulent.
Ensure employees do not repeat passwords
One bad habit that people practice is reusing passwords across more than one account. So, the solution is to implement the proper behavior by:
Updating passwords monthly or bi-monthly
Creating an uncrackable password
Keep all devices and endpoints secure
We live in the internet of things era where everything is interconnected, which is what endpoints are. So, it means that you must ensure security across each device. This is achieved by maintaining their visibility, having the latest software, and employing a zero-trust policy.
Don't share personal/business-related info online
In a business setting, it’s important to have strict non-disclosure agreements. Employees can unknowingly share confidential information online from a mere selfie on a social media site.
The point is that any business content shouldn’t be distributed on a channel where people can view or intercept it. However, in exceptional cases, Duckist can come to the rescue. The service uses encryption and self-destruction to protect the sharing of passwords and other confidential information.
Contact the company directly to check a request’s authenticity
Organizations get approached or requested by many companies regularly. For any interaction, make sure you check that you’re dealing with a legitimate business by contacting them directly.
Check before you click on the URL
Being wary of links is a reliable measure of preventing social engineering. A URL may seem innocent but turn out to be malicious. However, you can always verify the origin and legitimacy without clicking on anything.
Also, be vigilant for unsolicited emails that appear to come from a seemingly familiar institution like your bank or social media site.
Don’t download suspicious files
Whether the request comes via email or a website banner, never download anything you don’t know, or that looks fishy. You can always verify beforehand if the software is malicious or not.
Review your internal security policies
Security in an organization requires that it adheres to many guidelines. So, you need to include and review policies related to data retention, network safety, password creation, vendor management, remote access, incident response, etc.
Keep your antivirus updated
Even if you consider yourself pretty smart with computer usage, an antivirus program can prevent many types of malicious software you may not know.
Install firewalls and email filters
Although an antivirus program is necessary, email filters can block messages that may contain destructive software. Similarly, a firewall can help you from accessing unsecured or dangerous sites.
Ignore messages with offers and prizes
As the saying goes, if it sounds too good to be true, it probably is.
Always be mindful of risks
The last tip in learning to protect against social engineering is to triple-check any request, interaction, or anything else you may need to exchange information. This also involves awareness of any potential cracks in your entire data system.
You should keep your ears to any new developments on data breaches and upgrade your knowledge accordingly.
Social engineering takes seemingly ordinary scenarios into underhand deceit for malicious gain. Of course, technical wizardry is required on the part of the hacker. However, their ability to manipulate human emotion is as impactful.
However, you can protect yourself from social engineering attempts when you learn to spot the signs.