Social engineering attacks to defeat security have been around for millennia. After all, the name “Trojan virus” comes from the most famous social engineering attack of all – a bunch of Greeks hiding inside of the Trojan Horse to finally end the siege of Troy.
When in place and actively updated and patched, security software does a great job of protecting business' information.
What they can't do is prevent you or your employees from clicking a link or downloading a file they shouldn't. Or holding the door for the “delivery driver” with his hands full.
Hackers are increasing turning to social engineering efforts to use manipulation techniques of how our brains work that trick users into letting them in.
Social engineering, in the context of information security, refers to psychological manupulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differes from a traditiona; "con" in the it is often one of many steps in a mote complex fraud scheme.The term "social engineering" as an act of psychological manipulation is also associated with the social sciences, but its usage has caught-on among computer and information security professionals.
What are the common types of social engineering attacks?
Still the most common type of attack because it continues to work. Using email, social media, and instant message; cybercriminals attempt to trick you into visiting a malicious URL or to provide sensitive information like your password or banking details (yes, people really do click on those “Nigerian Prince” emails).
“There's a problem” or “we need to resolve an issue before it gets worse” are two common approaches to attempts to trick you into sharing your sensitive information.
A shortened URL or an embedded link can redirect you to a site with an exploit code. The link you see could be legitimate – hover over a URL to see if the actual link matches.
Email accounts are often compromised. We've all gotten emails or calls from friends to “not click an email from me about X” because they've been hacked. Phishing emails try to look like they come from a trusted source – going so far as to use logos, images, styles, and text to make the phishing email look like the real thing.
Fake charity emails prey on the kindness of strangers to funnel money directly to the criminal – be wary of emails soliciting donations around well-known national or international disasters. If you want to donate, organizations such as the Red Cross encourage you to donate directly on their website.
There are phishing attacks that purport to be from a law firm that claim you have a court notice to appear. IRS refund ransomware takes advantage of all last-minute filers waiting on pins and needles for word of their refund.
This involves faking the identify of someone known to the victim in such a way as to receive information. Hackers can impersonate external IT services personnel and ask internal staff for information that would allow them to access the system.
Download the latest movie, hottest song, or get that well-deserved massage you've been needed – all you need to do is click. Baiting involves putting something folks want into the trap – if you think of cheese or peanut butter in a mousetrap, the idea is exactly the same.
Years ago, a security company testing the security of a client spread USB sticks in the parking lot. Curious employees inserted the USB sticks and the software in the sticks recorded log-in information that would have allowed a real criminal to penetrate the company's security infrastructure.
Delivery drivers are ubiquitous. It's easy for someone to impersonate a delivery driver and wait for someone to open a door – timing their arrival just in time to ask for the door to be held open. Once inside with your security measures bypassed, the attacker can cause all sorts of mayhem for your IT infrastructure.
Never download anything from someone you don't know – and double check if you receive a download from someone you do know if you weren't expecting anything from them.
Don't call a phone number from a dubious email. Let's say you've received an email that claims to be from your bank detailing a problem with your account and asking for your log-in details. Firstly, banks won't ask you for those details via email. Secondly, don't call the number in the email as it's easy for the cybercriminal to pretend to be your bank. Look up the number on their website and call them directly to confirm that there is – or isn't – an issue with your account.
All foreign offers will be fake.
Turn on your spam filters and set them to high. Check your spam folder once or twice a week to check for legit email caught by your filter.
Train Your Users
First, find out what they know – not to make fun of them but so that you know where to start. Share what a phishing email looks like. Keep them informed in small bites, rather than a single, overwhelming session that's never mentioned again.
Mo is the resident IT go-to lady at AIS. She has traveled the world, run a marathon, is a self-proclaimed crossword champion, and can do ventriloquism. She has an uncanny memory ....down to the detail. She has completed 4 half marathons and hates running. In her free time, she likes to spend time with her 7 siblings and 20 nieces and nephews.