Social engineering is the art of manipulating others to gain access to their computer, IT systems, networks, or physical locations, typically for financial gain. It’s the art of bypassing an organization's security by exploiting the humans who work for that organization.

Because security technology can be highly effective at keeping them out, hackers typically begin an attack on an organization through its humans. Humans are easier to manipulate and will try to help someone they think is a colleague because it is socially acceptable to do so. Despite this being a good trait, it can be bad for security.

Most of the time, social engineers pose as someone you are likely to trust, like a bank manager, a customer support agent, or a colleague from another department or branch. They persuade targets to drop their guard and reveal information that can help them access systems or data.

Physical Social Engineering Attacks

Social engineering attacks aren’t always conducted online, especially if you work in a secure facility or restricted offices where serious intellectual property is held. Watch for signs of the following.

Tailgating 

One of the simplest ways to penetrate physical security is by following someone else in. We are socially conditioned to hold the door open for others if we are passing through it and attackers use this to their advantage. It gets them into secure areas, especially if they look like they belong.

Pretexting 

When an attacker uses pretexting against someone in a physical attack, it's done face-to-face. The attacker uses a false identity to trick someone into revealing sensitive or restricted information. A popular trick is to pretend to be an employee of the organization. If they have done the research they can easily trick others into getting access to restricted information or areas. 

If they sprinkle in a bit of confusion or urgency, they can fool people who would normally be much more cautious.

Baiting 

These attacks occur with something physically used as bait, like a USB stick left for someone to find. It will contain some sort of malware that activates when plugged into a computer.

Online Social Engineering Attacks

The vast majority of social engineering attacks are conducted online. By being aware of the threat and looking for telltale signs you can stop them dead in their tracks. Look out for:

Phishing  

Most are familiar with phishing emails, where an email claims to be from someone you trust. An attacker posing as a bank, government, or service provider tries to persuade you to enter login details, click on a URL, or download an attachment containing malware.

Spear Phishing 

Similar to phishing but aimed at people in positions of authority, known as high-value targets. Attackers can spend a long time working out the best way to attack; they do things like hack into an assistant’s computer to gather information and email the target asking for their passwords or login information. 

Watering Hole 

It is easy to be suspicious of those who approach you, but if we approach them, we are not as suspicious. This is the basis of a watering hole. The attackers gain control over an online resource you trust, like a website or login page, and wait for you to access it. Then, when you type in your credentials, they steal them or infect you with malware. 

These are more complicated attacks because they actually involve two attacks: one on the trusted resource and another on you. Because they are more sophisticated in nature and rely on you coming to them, they are more likely to be successful and less likely to arouse suspicion.

Typosquatting 

Typosquatting works because people do not pay as much attention as they should to URLs, especially when they look right at a glance. Typosquatting is when the attackers register a similar URL to (for example) the URL of a large bank but spelled slightly differently. 

Should you be fooled into visiting this site via an email that looks authentic, or accidentally type the URL wrong and end up there, the attacker will be waiting for you. With a fake website that looks like the real thing, they are prepared to harvest your credentials and steal your money or access to the resource.

How to Protect Yourself Against Social Engineering Attacks 

By being aware and suspicious of anything that feels out of place, you can prevent yourself from becoming a victim of social engineering. Furthermore, you become a robust first line of defense for your organization. 

Always Think Before Clicking 

Social engineers like to use a sense of urgency to provoke action before the target can think. When you get an urgent message, think twice! Check the URL and the source of the email before clicking anything. Even better, verify that the alleged sender actually sent it with a quick call or text message to ask them. 

Check Your Sources 

Be wary of unsolicited emails and always check the address domain links to verify that they are from the right source. To go a step further, check that the person sending it to you is actually an employee of the organization they purport to be from using a search engine. These are easy checks to avoid getting spoofed by a fake sender.

Don’t Download Strange Files

If you do not know who sent it to you, if you did not expect to receive an email from that sender, or are unsure if you should look at the file, it likely isn’t safe to open. Taking this stance by default is a great way to lower the risk of being caught out by a bad attachment with a malware payload.

You Haven’t Won a Prize 

If it’s too good to be true, it probably is, especially if you do not remember entering a contest or competition. Unsolicited emails baiting you to open them with the promises of money or a prize are almost certainly scams - don’t fall for them!

Ignore Requests for Credentials 

A credible source will never email you asking for personal information or your login credentials, doubly so when the request is completely unsolicited. If you get emails like this, they are almost certainly fraudulent.

Ignore Help Requests 

Ignore any requests for help if they come from someone who is allegedly tech support until you have verified the sender. Ignore any offers to help you from the same kind of sources. Always check that the sender is legitimate before acting.

Adjust Your Spam Filter 

Modern email services have great spam filters to stop your email inbox from overflowing. Be sure to set your filters to high to keep potentially risky emails from arriving in your inbox. You should check your spam folder regularly to make sure that legitimate emails are not getting stuck in there.

Remember that social engineering attacks prey upon you as a human and your tendency to be unsuspicious of anyone at work. Trust your instinct and be aware; it’s only a matter of time before you are targeted by a social engineer who wants to attack your business.

Contact Digital Hands

Digital Hands employs a deeply experienced team of cybersecurity professionals who can help your business get to grips with social engineering threats. We help you implement controls and technology to help stop cyberattacks dead in their tracks.

If you need a competent security services provider to ensure that you are making the right moves with your cybersecurity, get in touch with Digital Hands today at (855) 511-5114.

Recent Blogs

Optimizing Your Security Investments vs. Looking for the Silver Bullet

Read More

How to Navigate the Virtual CISO (vCISO) Market Strategically

Read More

Cisco Adaptive Security Appliance and Firepower Threat Defense Vulnerabilities

Read More