If you work in IT or cyber security, chances are you’re familiar with what social engineering is and the threat it poses. Regardless, maybe you’ve heard the whispers starting to circulate that social engineering is the growing cyber threat on the horizon.
Social engineering attacks are now on the rise. Moveover, ransomware. There’s a new sheriff bad boy in town. Today we’ll cover the question of what is social engineering, examples of social engineering, and ten methods you can implement to protect yourself from social engineering attacks.
But, first things first:
What is Social Engineering?
Social engineering is the act of manipulating people into giving up confidential data. Soical engineering attackers aim to take advantage of human nature in order to access private information.
What does this mean? Social engineers will pose as a person of trust―such as a friend, relative, or coworker. They’ll appeal to the target’s natural tendency to help a friend or family member in need, aiming to ellicit an emotional reaction. They want to put the victim in a position where they think now and act later. Then they use that position to trick their victim into opening an email, clicking a link, or accepting a download. This download infects the computer. We’ll provide some examples of social engineering below.
It’s easier to exploit our instinct to trust than it is for attackers to try and hack into a system. If they can fool you into giving away your credentials it’s an easy pay day for them with less effort. You can see the appeal for these individuals. A regular hacker will often look for software vulnerability and cyber security gaps. A social engineer, on the other hand, uses deceit to get an employee to divulge login credentials―they may do this by posing as a tech-support worker, for example.
Social engineering itself is not necessarily a new concept, but techniques have become more sophisticated and personalised. They’re also becoming more common for small-to-medium businesses to encounter. We’ve all received a dodgy email from a known contact but they’ve always been very easy to identify. You don’t expect to receive “CLICK HERE FOR XXX” from grandma Jean in your inbox, right? So the attacks were easy to avoid. But they’re less obvious now and utilise psychological manipulation to target unexpecting victims.
How so? Read on…
Examples of Social Engineering
Let’s take a look at some examples of social engineering, meaning we’ll also explain how a social engineering attack may present. Understanding what social engineering attacks may look like will help you to recognise and identify such attacks at a glance. As a result, you’re less likely to fall victim to an attack.
You are aware of phishing as a hacking technique, of course. These are usually non-specific in their target and the attacker will cast a ‘wider net,’ so to speak. This means that, even if only 1% of attacks are successful, they’ve hit say 100 out of 10,000 individuals. That’s still a success. Spear phishing is a targeted version of phishing. Attackers target a specific individual or organisation with a much more detailed phishing email which leads to a higher chance of success.
This scam looks like an email from what appears to be your boss urgently requesting a financial transfer to be made. Perhaps he’s just requesting some reports or files―containing confidential information―and it looks legitimate so you don’t question it. In 2016, Snapchat fell for exactly this scam with an HR employee handing over payroll information to the ‘CEO.’
A trusted friend sends you an email containing a malicious link or download for you to click. These could be disguised as photos they want to ‘share’ with you, or a link to their site, Facebook page, etc to entice you to click… and bam! You’ve been socially engineered. Of all our examples of social engineering, this one may come across as the laziest.
The Cry For Help
Your ‘friend’ or ‘cousin’ or whomever it may be writes to you that they are in urgent need of your help! They were mugged in Spain *insert sob story here* and they need you to send $X to their account. The pretext will vary; it may be so they can pay for their hospital bill/passport fees/insert other relevant cost here. Spoiler alert: your friend is not really in danger, and the funds are going to a social engineer attacker.
The Mysterious Lottery
Congratulations! You won a lottery that you don’t even recall entering! Or maybe you’ve suddenly inherited millions from a long-lost relative. It’s a dream come true! But remember, if it’s too good to be true, then it probably is. These social engineering attacks tend to be more random and less personalised. However, they definitely fall into the same category as they prey on your sense of greed.
The Account Suspension
This is one that is always difficult to dismiss. You get an email that your account has been suspended or compromised and you need to verify your information or reset your password. These emails can be extremely convincing, with identical formatting to the real deal. If you’re ever unsure, the best thing to do is to open the site and account in your browser independently. You will immediately be able to see any account-related shenanigans. Just make sure you don’t click the link embedded in the email!
Busted and Blackmailed
This is one that has been making the rounds, with some success. A convincing email arrives in your inbox stating that you’ve been busted watching pornography. Now they are threatening to reveal a video of your activity to your contacts. How is it convincing? Firstly, the email will usually contain a real password that you have used at some point (likely obtained through a previous data leak available online). Secondly, they will detail the method they used to ‘hack’ into your system―this makes it seem more legitimate. They will make a demand for money in exchange for not sharing the damning video. Breathe easy, it’s all a bluff. You can check if your password is in a leaked database through Have I Been Pwned.
The Dream Job Offer
If you hear from a LinkedIn recruiter offering you a dream job with unbelievable salary and benefits… you could be extremely lucky. But the more likely scenario is that (sorry!) there is no job and no amazing salary. There are a lot of recruiters out there headhunting for the perfect candidate, and it may not be out of the ordinary to receive such an inquiry. However, just be wary of the source and don’t reveal any confidential information or click any links.
There are more examples of social engineering we could dig into, but these are the most common social engineering attacks around. So, how do you protect your business from any one of these examples of social engineering? Let’s take a look.
Protect Your Business From Social Engineering Attacks
A lot of cyber-attack prevention boils down to many of the same tools and steps. It’s about reducing your exposure, being aware of vulnerabilities, and utilising tools to increase your protection. Having said that, social engineering attacks can be a little different, as they play on human emotion. Ultimately, there’s not much that an anti-malware program or firewall can do to stop a person from giving away the goods.
Keep in mind that many examples of social engineering will try to bypass your security system completely. But there’s a number of steps you can implement within your business to reduce your risk of social engineering attacks. We’ll run through them with you to ensure your business is on the right path.
1. Cyber Security Policies
Cyber security policies may sound incredibly boring and tedious. They are, however, crucial to protecting your business and employees from social engineering attacks. Although, be warned, it’s not enough to just create the policies―they need to be well understood and enforced. Don’t stick it in the back of the employee manual that no one ever reads. Keep the policy clear, visible, and regularly reinforced with your staff to ensure the recommendations becomes habit. Having a solid cyber security policy will do a few things to help prevent social engineering attacks: it means individuals are less likely to click on phishing links or give out credentials online. It reduces the chance of malicious files being accidentally downloaded onto the system. Also, having high-level email spam rules and policies can filter out many social engineering attacks from the get-go as they fail to pass filters.
2. Mobile Device Management
Mobile device management is protection for your business and for employees utilising a mobile device. This is especially relevant when they are using a personal device, instead of a company-issued device, for work purposes. Mobile-device-management tools enable you to implement policies that control company data, passwords, sharing restrictions, and more. Hopefully you’re starting to see the benefit in this context! Even if an employee falls victim to one of the above social engineering attacks, you can control what data can be accessed and shared. In the case of the email from the boss, maybe Janet in accounts thinks she needs to send a copy of payroll information to Bob the CEO. Mobile device management ensures that Janet isn’t able to share those documents, or even copy the information within, based on your restrictive rules designed for just this purpose.
3. Multi-Factor Authentication
We always come back to this one because, honestly, if you don’t have it implemented by now, then you’re well behind the pack. Multi-factor authentication ensures that account security is not defined by just one factor (the password). Passwords are important, sure, but as we’ve come to realise, they are insufficient on their own. Why? It’s far too easy for someone else to get access to your password, and therefore access to your accounts. Whether that password is accessed via social engineering, or because Janet wrote it on a post-it next to her computer (dammit Janet!), the result is the same: unauthorised access.Multi-factor authentication ensures that the password is not the master key to any given account. An additional verification will be required which could be anything from a security question, to a one-time generated code, or even biometrics such as fingerprints or facial recognition.
4. Regular Backups
Time to rag on Janet a little more. She defied all policies and logic, and failed to engage the slightest bit of suspicion or common sense. She clicked the link that Bob The Fake CEO sent her and now the company has been infected with a virus hell bent on destroying everything. But… thank goodness you followed Stanfield IT’s sensible protection policies and scheduled regular backups for your data. You’re able to revert the system back to its original state, change all passwords and update policies as required. And give Janet a stern talking to. If any Janet is reading this, we’re so sorry.
5. Password Management
This should be integrated into your cyber security policies, but it’s worth covering as a separate point. Good password management is incredibly important to prevent social engineering attacks. I know we just said that passwords are not the be all end all, but that doesn’t mean you can get away with password1234 on all your accounts (you’d be surprised how many people use exactly that). Good password management means doing a few things: creating a strong password (random, multiple cases, characters, and passphrases are all excellent), never using the same password more than once, using a secure password manager to keep track of all your logins, and changing passwords at scheduled intervals (for example every 3-6 months).
6. Security Awareness Training For Employees
As mentioned above, it’s not enough to just stick a cyber security policy in the back of the manual and call it a day, especially since social engineering relies on human error. Employees need to be able to take charge of cyber security, understanding where attacks can come from and what they can do to avoid an attack. Essentially, you want these procedures and protocols to become second nature to your employees. If they feel that they have ownership of cyber security and attack prevention, they are far more likely to follow cyber security protocols and your risk of social engineering attacks will be reduced. Stanfield IT offer personalised training seminars for your team so they can recognise examples of social engineering and not fall victim.
7. Encrypting Emails and Data
Ensuring that all your emails, data, and communication are encrypted ensures that, even if an attacker intercepts your data in transit, they aren’t able to view or access the included information. Their ‘payload’ is useless, as they can’t use any of the information contained within. This can be achieved by utilising a VPN within your business, which will encrypt data transmitted between you and any websites, protecting you from prying eyes!
8. Keep Software/OS Up to Date
This is a simple, yet critical, step that shouldn’t be overlooked. It’s so easy to put off those updates, as they always seem due at the most inconvenient times. These updates, however, reduce vulnerabilities and keep your system secure. Rolling out patches across a large network can be time-consuming, but knowing which software has critical vulnerabilities and the updates that are more urgent can help you to prioritise and manage the task at hand. Of course, employing an external team to manage your IT services will be a big boon in this instance, so it’s not something you need to fret about.
9. Define Roles and Verify Identities
If you have a workplace where everyone does a bit of this and a bit of that, it’s hard to know where to draw the line in terms of who can access what. Defining roles within the business means that everyone has a clear cut understanding of what they can and should access at any given time. This cuts down on successful social engineering attacks as individuals know that George (let’s give Janet a break) isn’t permitted access to the employee database he’s suddenly requesting, immediately raising a red flag.
Furthermore, having a system of identity verification internally will help to reduce this risk as well. It may be that any time certain requests are made, or certain information is being accessed, employees are required to answer a security question or provide a pre-determined passphrase. Social engineers often do their research on their targets and can be very convincing in their assumed identities, so having a method of verification provides that extra security.
10. Utilise Next-Gen Firewall and Anti-Virus
You are probably already using a firewall and anti-virus software within your business, but next-gen firewall technology (NGFW) is designed to provide maximum security in ways that previous incarnations didn’t. Traditional anti-virus and firewall software doesn’t have the sophisticated techniques and knowledge required to truly protect your system against modern attacks. Although social engineering attacks rely on human mistakes, a good NGFW will alert you to any attempted malware installations, preventing any potential infiltration.
- Stay viligant of spam, flagging (and never complying with!) emails that request personal or financial information (often urgently); call for quick action by threatening the user with frightening information; or are sent by unknown senders.
- Regularly monitor online accounts to make sure no unauthorised transactions have been made.
- Never give personal information via the phone or unsecure websites.
- Don’t click on links, download files, or open email attachments that if you don’t know the sender and recognise the email address.
- Only complete online transactions on websites that use the ‘https’ protocol. Also l for a sign that indicates that the site is secure, such as a padlock on the address bar.
- Beware of phone phishing and never provide personal information over the phone. Also beware of emails that ask the user to contact a specific phone number to update their information.
- Never give personal or financial information via email.
- Beware of links to web forms that request personal information, even if the email appears to come from a legitimate source. Phishing websites often disguise themsleves as exact replicas of legitimate websites.
- Beware of pop-ups; never enter personal information in a pop-up screen or click on it.
- Adopt proper defense systems, such as spam filters, anti-virus software, and a firewall, and keep all systems updated.
- Social network users should trust no one and reveal only a limited amount of information. They should never post personal information, such as a vacation schedule and home photos, click on links and videos from unknown origin, or download uncertified applications.
Reviewing the examples of social engineering above, it’s clear that social engineering targets a huge part of human nature. It plays on our curiosity and desire to help. It’s human nature to be curious; we want to know everything! A Google study showed that 48% of individuals who picked up a random stray USB drive then plugged it into their computers. This is beyond risky!
Moreso, we want to help our fellow humans, especially those close to us or in our everyday lives. Well, most of us do anyway. Social engineering attacks exploit this fact. This is why so many of the examples of social engineering are framed around a request for assistance from either coworkers, or friends―these are people we tend to trust.
Social engineering has been around ‘forever,’ of course―it’s not a new, complex hacking technique. However, social engineering attacks have grown more sophisticated in recent years. With social media now so mainstream, it’s easier than ever for these attackers to collate relevant information in order to present a convincing identity. According to a study by KnowBe4, a whopping 98% of hackers target users via social engineering rather than through a technical flaw.
Overall, these steps won’t prevent social engineering attempts on your business―the hackers will just keep on trying. Keep the examples of social engineering in mind and learn to recognise them so that if such an attempt comes your way. This way, already on the defence and less likely to fall victim to social engineering attacks.
If you would like to find out more please contact the team at Stanfield IT to discuss how to better secure your small-tomedium business.