How to Defend Against Social Engineering
We are repeatedly warned about the dangers of divulging sensitive information online, clicking on unknown links and watching for malicious software. All common and technological methods of committing fraud online.
But there is another tactic that cyber criminals like to use that doesn’t rely on technology or software. Rather than exploiting technological weakness, it preys on human weakness.
This is social engineering.
What is social engineering?
Social engineering is an underhand technique where victims are tricked or manipulated into sharing sensitive information, details or data related to you or your employer. Trust and psychological means are often used.
From there criminal gangs can use this information to steal their victim’s identity for their own financial gain.
The worrying thing about social engineering is the fact that you can have all the technological safeguards set up such as firewalls and security software but social engineering can still penetrate your defenses if you aren’t aware of it, or how to deal with it.
How does social engineering work?
Social engineering is based around human psychology and exploiting human behaviors to make money illegally. The human interaction aspect is key to social engineering versus other types of cyber fraud.
Once trust can be gained by a social engineer, an individual may be happy to hand over whatever passwords or information is requested.
For example, a social engineer might call an employee claiming to be an IT support team member and convince the employee to give them their company passwords. The criminal can then access sensitive company information and make money from it.
Real examples of social engineering
Perhaps your still skeptical. Surely no one could be tricked into simply handing over sensitive information like that?
There are many real-world and well-known examples all around us which prove it can happen to anyone.
Toyota’s $37 million loss
In 2019 Toyota famously lost $37million through a business email compromise scam. Hackers posed as a large supplier of the car manufacturer and convinced Toyota employees to wire money to them.
Shark Tank bookkeeper tricked into “home renovation project”
Barbara Corcoran from Shark Tank has also come out and revealed how she nearly lost $400k when cybercriminals convinced her bookkeeper to send them money for a ‘home renovation’ project. These criminals had clearly done their homework and engaged in a back and forth email exchange with the assistant and through excellent research was able to convince her to make the transfer. Luckily the money was recovered but this example also shows how difficult it is to protect against human manipulation.
Yahoo’s worldwide data breach
Tech companies can also be hit. In 2014 a Yahoo employee fell for a social engineering scam that resulted in the disclosure of over 3 billion users worldwide in one of the largest data breaches of our time. This one employee clicked on a socially engineered email link that allowed malware to enter the Yahoo network and from there resulted in this historic data breach.
Democratic Convention phishing scam
Politics can be hit by social engineering, with the Democratic Convention emails hacked in 2016, as is now famously known. This again is attributed to one phishing email where an employee clicked on a seemingly harmless link around protecting their Google password. This allowed the hackers access to over 150,000 emails that were then leaked onto a number of websites.
What are the different types of social engineering?
Now that we know what social engineering is, let’s look at the different types out there.
Baiting is a social engineering cyber-attack that manipulates people's curiosity and sense of opportunity, by offering the victim something they want. Online, this can look like a free song from your favorite artist with a malicious link hidden inside.
Offline, criminals leave flash drives lying where they know people will find them – maybe a bathroom or stairs in a hotel. Our human sense of curiosity is manipulated where the unsuspecting victim plugs the ‘lost’ flash drive in and malware is deposited into their computer.
Using human fear as the tool for this one, social engineers will ‘scare’ victims into purchasing a fake product or service. For example, there’s a popular scam that scares people into buying fake antivirus software. This software can contain malicious malware that can gain access to sensitive information on their computer.
This social engineering attack takes advantage of trust. It is where a criminal pretends to be someone in a trusted position to gain access to sensitive information or data. For example, someone pretending to be head of a department may call an employee and convince them to disclose passwords for the network.
Phishing is one of the most common forms of social engineering attacks and is when emails are sent from criminals that look like they are from trusted sources. When opened, or clicked by unsuspecting employees or recipients, the emails can deposit malware to steal information.
5. Spear Phishing
Spear phishing is like phishing but targeted against certain companies or individuals where research is done beforehand so as to make the attack seem more believable and credible.
Tailgating is where an unauthorized person gains entry using an authorized user to do so. For example, someone might gain access to a building by following someone else in, pretending they forgot their security pass. They can bypass security by using personal contact with an authorized user and ‘tailgate’ them into the situation they want.
How to avoid a social engineering attack
There are many ways to avoid a social engineering attack. Social engineering attacks rely on people's behaviors and habits. So by being aware and taking precautions, social engineering attacks can be avoided.
- Trusted senders
Whether you are a company or an individual, the message is the same – do not open emails unless they are from trusted senders. And never click on a link in an email without knowing where the email came from and that it is a safe sender.
- Avoid tempting offers
If it sounds too good to be true, the likelihood is that it is. If someone offers an outlandish offer or reward, stop and think. Does this offer make sense? Might there be malicious intent behind it?
- Penetration testing
Good for business, this series of tests will attempt to perform simulated cyberattacks on your network and company to expose security vulnerabilities. These tests can also include sending phishing emails to employees.
- Multi-factor authentication
Requiring two pieces of evidence to access authorized systems and data makes it harder for criminals to gain access. Social engineering attacks tend to obtain just one piece of this evidence which means multi-factor authentication, or 2FA, is a great tool against it.
- Antivirus software
It seems obvious but keeping antivirus software up to date can be overlooked. And as one of the first barriers of defense against social engineering, it’s important to make sure updates have been applied.
- Password security
Whether a business or an individual, never reveal your password to anyone. Legitimate organizations will never ask you for your passwords over the phone or by email.
Often, good cyber security training and an awareness of the risks can be your number one defense against social engineering. By making employees aware of the risks and how they may be approached by criminals you are encouraging awareness that can be the difference between a security breach or not.
- Door security
Tailgating can be addressed by a zero-tolerance policy at doors and entrance points. Never let someone into your building or work premises without verified credentials.
- Software solution
Sometimes we just can’t stop these attacks. So having a software solution like Clario can detect and remove malicious programs that have accessed your data.
Protect your identity online and guard against social engineering by learning more about Clario’s Identity Theft Protection and ensuring you have peace of mind when it comes to social engineering.