How to Defend Against Social Engineering

We are repeatedly warned about the dangers of divulging sensitive information online, clicking on unknown links and watching for malicious software. All common and technological methods of committing fraud online.  

 

But there is another tactic that cyber criminals like to use that doesn’t rely on technology or software. Rather than exploiting technological weakness, it preys on human weakness.

 

This is social engineering.

What is social engineering?

Social engineering is an underhand technique where victims are tricked or manipulated into sharing sensitive information, details or data related to you or your employer. Trust and psychological means are often used.  

 

From there criminal gangs can use this information to steal their victim’s identity for their own financial gain.

 

The worrying thing about social engineering is the fact that you can have all the technological safeguards set up such as firewalls and security software but social engineering can still penetrate your defenses if you aren’t aware of it, or how to deal with it.

How does social engineering work?

Social engineering is based around human psychology and exploiting human behaviors to make money illegally. The human interaction aspect is key to social engineering versus other types of cyber fraud.

 

Once trust can be gained by a social engineer, an individual may be happy to hand over whatever passwords or information is requested.

 

For example, a social engineer might call an employee claiming to be an IT support team member and convince the employee to give them their company passwords. The criminal can then access sensitive company information and make money from it.

 

Real examples of social engineering

Perhaps your still skeptical. Surely no one could be tricked into simply handing over sensitive information like that?

 

There are many real-world and well-known examples all around us which prove it can happen to anyone.

 

Toyota’s $37 million loss

In 2019 Toyota famously lost $37million through a business email compromise scam. Hackers posed as a large supplier of the car manufacturer and convinced Toyota employees to wire money to them.

 

Shark Tank bookkeeper tricked into “home renovation project”

Barbara Corcoran from Shark Tank has also come out and revealed how she nearly lost $400k when cybercriminals convinced her bookkeeper to send them money for a ‘home renovation’ project. These criminals had clearly done their homework and engaged in a back and forth email exchange with the assistant and through excellent research was able to convince her to make the transfer. Luckily the money was recovered but this example also shows how difficult it is to protect against human manipulation.

 

Yahoo’s worldwide data breach

Tech companies can also be hit. In 2014 a Yahoo employee fell for a social engineering scam that resulted in the disclosure of over 3 billion users worldwide in one of the largest data breaches of our time. This one employee clicked on a socially engineered email link that allowed malware to enter the Yahoo network and from there resulted in this historic data breach.

 

Democratic Convention phishing scam

Politics can be hit by social engineering, with the Democratic Convention emails hacked in 2016, as is now famously known. This again is attributed to one phishing email where an employee clicked on a seemingly harmless link around protecting their Google password. This allowed the hackers access to over 150,000 emails that were then leaked onto a number of websites.

What are the different types of social engineering?

Now that we know what social engineering is, let’s look at the different types out there.

 

1. Baiting

Baiting is a social engineering cyber-attack that manipulates people's curiosity and sense of opportunity, by offering the victim something they want. Online, this can look like a free song from your favorite artist with a malicious link hidden inside.

 

Offline, criminals leave flash drives lying where they know people will find them – maybe a bathroom or stairs in a hotel. Our human sense of curiosity is manipulated where the unsuspecting victim plugs the ‘lost’ flash drive in and malware is deposited into their computer.

 

2. Scareware

Using human fear as the tool for this one, social engineers will ‘scare’ victims into purchasing a fake product or service. For example, there’s a popular scam that scares people into buying fake antivirus software. This software can contain malicious malware that can gain access to sensitive information on their computer.

 

3. Pretexting

This social engineering attack takes advantage of trust. It is where a criminal pretends to be someone in a trusted position to gain access to sensitive information or data. For example, someone pretending to be head of a department may call an employee and convince them to disclose passwords for the network.  

 

4. Phishing

Phishing is one of the most common forms of social engineering attacks and is when emails are sent from criminals that look like they are from trusted sources. When opened, or clicked by unsuspecting employees or recipients, the emails can deposit malware to steal information.

 

5. Spear Phishing

Spear phishing is like phishing but targeted against certain companies or individuals where research is done beforehand so as to make the attack seem more believable and credible.

 

6. Tailgating

Tailgating is where an unauthorized person gains entry using an authorized user to do so. For example, someone might gain access to a building by following someone else in, pretending they forgot their security pass. They can bypass security by using personal contact with an authorized user and ‘tailgate’ them into the situation they want.

How to avoid a social engineering attack

There are many ways to avoid a social engineering attack. Social engineering attacks rely on people's behaviors and habits. So by being aware and taking precautions, social engineering attacks can be avoided.

  • Trusted senders
    Whether you are a company or an individual, the message is the same – do not open emails unless they are from trusted senders. And never click on a link in an email without knowing where the email came from and that it is a safe sender.
     
  • Avoid tempting offers
    If it sounds too good to be true, the likelihood is that it is. If someone offers an outlandish offer or reward, stop and think. Does this offer make sense? Might there be malicious intent behind it?
     
  • Penetration testing
    Good for business, this series of tests will attempt to perform simulated cyberattacks on your network and company to expose security vulnerabilities. These tests can also include sending phishing emails to employees.
     
  • Multi-factor authentication
    Requiring two pieces of evidence to access authorized systems and data makes it harder for criminals to gain access. Social engineering attacks tend to obtain just one piece of this evidence which means multi-factor authentication, or 2FA, is a great tool against it.
     
  • Antivirus software
    It seems obvious but keeping antivirus software up to date can be overlooked. And as one of the first barriers of defense against social engineering, it’s important to make sure updates have been applied.
     
  • Password security
    Whether a business or an individual, never reveal your password to anyone. Legitimate organizations will never ask you for your passwords over the phone or by email.
     
  • Awareness
    Often, good cyber security training and an awareness of the risks can be your number one defense against social engineering. By making employees aware of the risks and how they may be approached by criminals you are encouraging awareness that can be the difference between a security breach or not.
     
  • Door security
    Tailgating can be addressed by a zero-tolerance policy at doors and entrance points. Never let someone into your building or work premises without verified credentials.
     
  • Software solution
    Sometimes we just can’t stop these attacks. So having a software solution like Clario can detect and remove malicious programs that have accessed your data.

 

Protect your identity online and guard against social engineering by learning more about Clario’s Identity Theft Protection and ensuring you have peace of mind when it comes to social engineering.

Read more:

Live Secured

We’d like to stay in touch.

We’ve got something special to share! Enter your contact details below to be among the first to find out about the exciting changes we’ve got in the works as well as to receive special promotions.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. ReCaptcha verification failed

More Related Articles

Secure more devices for the same price this Black Friday in 2020!

Choose the number of devices
you want to secure:

arrow

Run Application

Double-Click on MacKeeper.pkg

Click Continue