How to Protect Yourself from Social Engineering?
How to Protect Yourself from Social Engineering?
When discussing cybersecurity, most people believe that it means defending your system, network, or devices from hackers who use sophisticated technology to target their victims.
Keeping this concept in mind, a significant number of businesses and organisations have invested large amounts to implement advanced cybersecurity measures in order to reduce cyber threats.
While these advanced measures have proved to be very efficient at keeping hackers at bay, still there remains an element of weakness … “human.”
Cyber attackers start taking advantage of this weakness to bypass security and initiate attacks. Nowadays, social engineering attacks have become a powerful tool for cyber criminals as 98% of cyber-attacks (.pdf) rely on social engineering techniques.
Therefore, it becomes crucial to gain knowledge about social engineering if we want to protect ourselves from these attacks.
So, why wait?
Let’s get into it.
What Is Social Engineering?
Social engineering is a deliberate malicious act of manipulating people in such a way that they reveal or provide access to their confidential information.
Criminals prefer social engineering techniques because it relies on human trust which is easier to exploit than hacking a computer.
The type of information social engineers seek can vary. Generally, they draw victims into making security mistakes, leading them to expose their passwords, financial information, personally identifiable information, or login credentials.
Common Types of Social Engineering Attacks
Social engineering attacks can be performed anywhere where human interactions are involved.
However, different types are broadly classified depending on the attacker’s chosen method to manipulate or deceive the victim.
Some common types of social engineering attacks are:
Phishing
Phishing is one of the most common forms of social engineering.
It involves the attacker sending emails or text that appear to come from a trusted source. However, these messages are aimed at tricking individuals into sharing personal information or installing malware.
A well-known example of phishing is an email from a bank that wants to confirm your sensitive information and directs you to a fake site that collects your data.
Whaling
Phishing tends to target non-specific individuals while whaling is directed at whales of the company.
The term “Whales” represents the high status of these targeted individuals (such as CEOs or other important people in managerial roles of a company) who have access to personal and financial information.
Due to this reason, whaling is also referred to as CEO fraud or Executive phishing.
Spear Phishing
Like whaling, spear phishing is also a targeted form of phishing but it usually goes after individuals with a lower profile.
In spear phishing, attackers send an email that seems to come from higher-level executives and ask for confidential information and log-in credentials or provide a download link for a “recommended” software.
Baiting
Baiting, aka road apple, involves creating a trap to manipulate the victim into infecting their own system.
The attack is performed by leaving unsecured external hardware — such as a USB or hard drive filled with malware, around a public place or workspace. When the curious victim plugs the infected drive into their system to see what’s inside, it acts like a trojan horse, compromising the system.
Baiting can also happen online where cybercriminals use attractive advertisements as doors to their websites that contain malware. The advertisement offers that seem too good to be true are often run by cybercriminals as bait.
Pretexting
In this type of social engineering attack, attackers use pretexts to elaborate stories in order to engage with the target and psychologically manipulate them into sharing confidential information.
Initially, the attackers impersonate someone with authority or credibility to inquire about certain details to confirm your identity, which they then use to carry out future social engineering attacks.
In many cases, pretexts involve interacting with people in person to convince them that the attacker is really the person they actually claim to be.
For instance, someone with a clipboard and pen comes up to you and says they are doing security audits and want to confirm certain details about you. They might not be those they claim to be and just intend to steal personal information as a first phase of a future attack.
Quid Pro Quo
Quid pro quo is also known as “something in return for something.”
In the context of cybersecurity, it is an attack where the attacker offers you a benefit or a service in exchange for your personal information or access to your system.
For instance, an attacker could offer you discount coupons for a popular store if you fill out the form with your personal or financial information. The filled information can later be used to steal money, confidential data, or take complete control of your accounts.
Tailgating
Tailgating is a type of social engineering attack where an unauthorised person follows closely behind an authorised person to gain physical access into a secure or restricted area.
While following, attackers often pretend to be an employee or a member of the cleaning crew and enter the building, data centre, or rooms with limited access to steal sensitive information, damage intellectual property, or install malware.
Hackers can also use tailgating in cyberspace by getting hold of the employee’s laptop and using their login credentials to access sensitive information.
Scareware
The scareware involves scaring techniques that use fear and lack of technical knowledge of the victim to trick them into taking a desired action such as clicking on the link, downloading malware, or logging into their accounts.
For example, you are browsing the internet and a pop-up message appears on your screen with flashing red alerts.
The message is from an anti-virus program that reads:
“Warning! A virus is detected in your system. Click here to download our advanced anti-virus software to deeply scan your device and remove the virus.”
That software, instead of fixing the problem, might actually spread malware into your system.
Honey Trap
Honey trap refers to a type of social engineering attack in which the attacker uses an attractive person to create a fake romantic or sexual relationship with the target in order to extract information from them.
Later on, they use this information to seduce and manipulate targets into revealing sensitive information, borrow money, or gain access to restricted areas.
Honey trap is a common spying tactic used by various intelligence agencies around the world to extract information from people in power.
How to Protect Yourself from Social Engineering?
Social engineering attacks are specifically designed to manipulate human traits like the desire to help friends, curiosity, and respect for authority.
Due to this reason, these attacks are usually difficult to counter.
But being aware of anything that does not feel normal — or feels too good to be true — can protect you from social engineering to a great extent.
Here are some tips you can follow to protect yourself from social engineering attacks.
Get Educated
The more familiar you are with social engineering attacks, the less likely you become a victim of it.
Therefore, stay updated about the latest social engineering tactics.
In case you are an organisation, execute security awareness training for your employees on a regular basis so that they can easily identify and respond to these threats.
Verify the Source
Whenever you receive an email or text message asking for sensitive information or downloading a specific software, don’t trust it blindly. Instead, take a moment to consider where this USB drive, phone call, or text message came from.
- Look at the email header and check against the valid emails from the same sender.
- If the email requests you to download software or update information, check where the link is taking you simply by hovering the cursor above the link.
- Check for spelling mistakes and grammatical errors as trusted organisations have qualified people for customer services so there is very little chance of error.
- If you receive a call from your friend or a trusted colleague asking for money or information, confirm the phone number, and if you’ve received a text, call them first before sending them any money.
All these points help you protect yourself from social engineering attacks.
Check for SSL Certification
Before adding any personal or financial information to an unknown site, always verify the SSL certification.
Look for whether the URL of the website starts from https:// or http://, as https:// is considered a trustful and encrypted site while http:// do not offer a secure connection.
Another way to look for SSL certification is to look for a padlock icon right behind the URL which means that the connection between website and device is safe.
Use Anti-Spam Filters
Usually, email services have built-in spam filters that can categorise emails without any effort and can prevent your inbox from overflowing.
But if your email program isn’t filtering out enough spam, you can also use a third-party filtering tool that closes doors for cybercriminals.
These spam filter tools detect files and links and use various kinds of information to analyse the content of the message and find which email is spam, ultimately protecting you from social engineering attacks.
Multi-Factor Authentication
Using strong passwords for all of your social media and other accounts is a very good idea. There is no doubt that a strong password ensures security, but still, passwords are inadequate and easy for someone to guess or bypass and gain access to your system.
Therefore, it is better not to rely solely on passwords.
Instead use Multi-Factor Authentication that adds an extra layer of security to your accounts as it requires multiple forms of identification such as biometrics, OTP, or security questions.
This extra layer of protection makes it harder for attackers to gain unauthorised access to your system even if they have your login credentials.
Pay Attention to Digital Footprints
Pay attention to your digital footprints and limit the sharing of personal information on social media and other online forums. Social engineers often track these details to gather information about you.
Banks and other organisations may use the name of your first pet or primary school as a security question, pay attention to whether you have shared this information online.
Moreover, your social media accounts like Facebook or Instagram might show your date of birth, home address, or email address which is useful for social engineers.
Therefore, to prevent yourself from social engineering attacks, it is recommended to change your social media settings to “Friends Only” or “Private”.
Penetration Testing
Penetration testing is one of the most effective approaches to prevent yourself from social engineering attacks.
Execute a social engineering test or simulated social engineering attack that helps to expose vulnerabilities within your organisation’s security so you can take specific actions before the real threat occurs.
Penetration testing is so specific that you can easily identify which system or employee you need to look for and the type of social engineering attack you are prone to.
That’s all for today.
That said, let’s move forward and have a quick summary of what we’ve discussed so far.
Summary!
While technological advancements have strengthened cybersecurity measures, there is an important element of human emotion that remains weak and is exploited by cybercriminals through social engineering.
To protect yourself from cybersecurity, first of all, you need to consider the most common forms of social engineering attacks such as phishing, baiting, and others. When you understand how these different types of attacks work, you can prepare and protect yourself against them.
For preventive measures, verify the source of every email, call, or text message; look for SSL certification, and enable multi-factor authentication.
Awareness and proactive measures are the key to defending against manipulative tactics of social engineering.
Stay Happy, Stay Safe!
