Defending Against Social Engineering Attacks

In an era dominated by digital connectivity, protecting data from suspicious people is a difficult task, especially when cyber criminals implement social engineering; this has become a pervasive threat to businesses and individuals alike.

Knowing what social engineering is, its many forms and how to defend against its manipulative tactics is crucial for companies.

Read: The Best Practices Against Cyber Attacks

What Is Social Engineering?

Social engineering is a cyber attack that exploits human psychology and weaknesses to gain access to restricted systems or sensitive information, like login credentials or credit card details. Unlike traditional hacking methods that focus on exploiting technical vulnerabilities, social engineering targets human emotions and naivety.

Attackers use psychological tricks, deception and manipulation to convince victims to:

• divulge confidential information;
• click on malicious links;
• download suspicious attachments;
• send money or
• make security mistakes

Social engineering can also be the first step of many for a large-scale cyber attack. By getting some company information from a low-tier employee, the cyber criminal can then target a C-level executive and potentially hack into the system.

Types of Social Engineering

• Phishing: Phishing is the most common type of social engineering. It involves the social engineer sending fraudulent messages via email, text or phone calls and masquerading as a legitimate, trustworthy entity.
• Pretexting: Pretexting involves creating a fabricated but credible scenario that leaves little room for doubt to manipulate individuals into providing information or sending money. They might use accurate information about the victim, like their address and birthday, to “confirm” their “legitimate” identity. For example, the attacker could pose as the IRS and say the victim needs to send money or they will go to jail.
• Baiting: Baiting involves luring individuals with something appealing, like a “free” music or movie download or a huge discount that actually contains malware. This social engineering tactic abuses curiosity or greed to bait the victim. A common form of baiting uses physical media, like a USB drive. The attacker will leave it lying around, hoping someone will pick it up and insert it into their computer.
• Quid Pro Quo: In quid pro quo attacks, cyber criminals offer a desirable benefit or service in exchange for money or sensitive information. For example, they could pose as an IT technician and ask for your login credentials in exchange for IT assistance or technology improvements.
• Tailgating: Also known as piggybacking, this is a physical breach where an unauthorized person manipulates their way into a secure, protected building. The attacker impersonates someone like a delivery driver or custodian worker and then waits for an authorized person to open a door so they can gain physical access. They might pretend they have lost their access card or are dropping off a package.
• Diversion theft: This con targets a delivery driver or courier company to trick them into making a delivery somewhere other than the intended location; it diverts goods or information to the wrong person. This can also happen online when the thief tricks the victim into sending data to the wrong person, often by spoofing the email address.
• Scareware: Scareware, as the name implies, involves scaring the victim into taking action. It tells the victim that their computer has been infected with malware. The victim then tries to install “software” to remove the fake malware when the software actually grants remote access for the cyber criminal to hack into the system and install real malware. The social engineering tactic might also ask for payment via cryptocurrency like Bitcoin to remove the fake malware.
• Water-holing or watering hole: This social engineering technique takes advantage of regularly visited and trusted websites. It infects them with malware and hopes to compromise an entire group of people known for visiting the website; when someone logs into the site, the hacker can steal their login credentials to breach the network further.
• Honey trap: This is when the perpetrator pretends to be romantically interested in the victim and lures them into an online relationship. They then try to persuade the victim into revealing confidential information about themselves or sending them money.

How to Spot a Social Engineering Attack

Social engineering attacks have specific characteristics and traits, making them easier to identify. First, social engineering attacks often use the power of persuasion and a sense of urgency to get the victim to behave rashly before they have time to think about it. They use the fear of missing out, or FOMO, against the victim.

These attacks also involve heightened emotions like fear, excitement, curiosity, anger, greed, guilt or sadness. People are more likely to be irrational or take risks when they’re emotional; all it takes is a momentary lapse of judgment for someone to click on a link or download an attachment. That’s why taking advantage of human emotions is easier than hacking into a network and subverting all the technical obstacles.

Another important feature of a social engineering attack is that the social engineer attempts to come off as a trustworthy, legitimate entity, so the victim is more willing to do what they say. They will pose as government entities, banks, celebrities or the police, as well as co-workers, bosses, customers and vendors. For example, 43% of phishing attacks impersonate Microsoft.

When spotting a social engineering attack, look for spoofed URLs (goggle.com versus google.com), misspellings and bad grammar, poor image quality, old or incorrect logos, generic greetings and signatures and inconsistent formatting.

How to Defend Against Social Engineering

Social engineering attacks are a major threat to organizations, and they can be tricky to defend against since they rely on human emotions and not technology. Here are some human and technology tips on defending against social engineering attacks:

• Educate employees: With 95% of data breaches caused by human error, the first line of defense against social engineering is employees. Conduct regular training sessions to raise awareness about common tactics used by attackers. Train them to recognize the types and signs of social engineering and who to report suspicious activities to. Keep everyone informed and vigilant, and run engineering tests to see what areas of improvement are needed.
• Verify requests: Always verify requests for sensitive information or money, especially if they come from unexpected or suspicious entities. Contact the requester through known, legitimate channels to confirm if the request is real before divulging any information, because the alleged person who sent it might have been hacked and someone is impersonating them.
• Use MFA: Implement multi-factor authentication for an extra layer of security. This requires users to provide an additional form of authentication, so even if the login credentials are compromised, the hacker can’t log in.
• Install and update software: Install antivirus and antimalware software and regularly update it along with operating systems and firewalls. Attackers often exploit outdated software to gain access, so updates close security holes and limit unauthorized access. Turn on automatic updates if you don’t remember to manually update them.
• Think before you click: If an offer sounds too good to be true, it probably is. Never open email attachments or click on links from suspicious sources. If possible, manually type in the URL instead of clicking on a link.
• Clean up social media: Social engineers will scour the internet for personally identifiable information (PII) to use in their social engineering attacks. Avoid publishing PII, like your pet’s name, your hometown, your first school and other information, especially if they are answers to your security questions or part of your password.
• Regularly backup data: If you fall victim to a social engineering attack and lose crucial data, having backups can help restore your systems. Implement the 3-2-1 rule and air gapping
• Utilize strong passwords: Create strong, complex passwords for each account; don’t reuse passwords. Use a combination of upper and lowercase letters, numbers and symbols, and have a minimum of 19 characters. If you need help creating and managing passwords, use a password manager. Never share your passwords with anyone.
• Slow down: Social engineers want you to act rashly, so if you get a message that conveys a sense of urgency or has a high-pressure message, be skeptical and don’t let urgency influence your actions. Also, if you didn’t ask for help or sign up for a giveaway, any message claiming assistance or a prize is probably a scam.
• Limit access and rights: Limit local admin rights and access to sensitive data, resources and systems. Only give access to people who need it to complete their jobs.

Thriveon Against Social Engineering

At Thriveon, we know how important it is to protect your sensitive data and systems from social engineering attacks. We provide robust managed IT and cybersecurity services, and we offer a cybersecurity risk assessment so businesses can see how strong – or weak – their current security systems are. From there, we can align your company to 500 IT best practices and make recommendations to help strengthen its defenses.

Contact us today for more information.