Just a few years ago, the only devices in our homes connecting us to the Internet were laptops, desktops or maybe gaming consoles. Today, the number of items with this capability is rapidly growing. As more devices connect to the Internet for communication, it becomes more and more vital to make sure that our information is protected against cyber threats that will damage and cause chaos! The same crimes that happen in real life – such as theft and abuse – are now occurring every day on the Internet, and just like you tell your kids to look both ways before crossing a busy intersection, you must take precautions when using the Internet.
What makes you vulnerable?
How much we incorporate technology into our daily lives is changing. People have varying opinions on whether this change is a positive or negative one. The challenges of living in a technology-driven world introduce new ways for threat actors to attack individuals and businesses alike. Many cyber criminals do it for the money, some for the thrill, but either way, cyber attackers want your personal information to cause financial, emotional, and even physical damage. One of the common ways attackers go after your personal information is through email or text messages claiming to be someone you know, whether it be a boss, co-worker, friend, or family member. They will capitalize on your sense of trust in this person to take advantage of the situation and cause you harm.
Cyber threats focus on a tactic known as social engineering. What is social engineering, you might ask? It’s the art of manipulating people into performing actions and/or divulging information that might be used to gain access to your bank accounts or your work email, for example. With this information, the attacker can steal your identity and your online access. Social engineers try to trick their victims into making a mistake, and they take advantage of fear, confusion, a sense of urgency, and, sadly, kindness.
What are some methods of attack?
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by appearing to be a trustworthy company or authority figure. This is all done through email communication. There are other variants of this like vishing, which is done over the phone, or smishing, which is done through text messaging. These methods are all executed to steal your personal information. These attacks are often used to lure victims into clicking on links to fake websites that look believable, leading to giving away personal information or downloading malicious documents posed to compromise personal devices.
Tailgating and piggybacking are used when cyber attackers are trying to gain otherwise unauthorized access into a facility. This could involve an attacker following you while you’re walking in to work attempting to slip in behind you. Another example of this would be an attacker carrying a box that is too heavy and looking to you to hold the door for them to walk in. Therefore, it is extremely important to be aware of your surroundings to make sure cyber criminals don’t take advantage of you.
Baiting is a technique where a cyber-criminal leaves USB flash drives out in common areas, like parking lots or elevators, to entice victims to pick them up and plug them into a computer at work or at home. Once the flash drive is plugged into the computer, the attacker can infect your computer, allowing them to gain remote access to your computer to perform a variety of malicious actions, most often installing spyware or other forms of malware on your computer to steal your passwords and credit card numbers.
Why is social engineering so effective?
Like other techniques, social engineering does not deal with network security issues; instead, it deals with the psychological manipulation of a human being to extract desired information.
Social engineering continues to be effective for many reasons:
- Despite various security policies, preventing social engineering is a challenge, because human beings are most susceptible to variation.
- It is challenging to detect social engineering attempts because they aren’t always detectable by technical controls.
- No method of technical and procedural controls guarantees complete security from social engineering attacks.
- The approach of social engineering is relatively cheap (often free) and easy to implement.
There are many characteristics of a social engineer. Social engineers are confident and in control of the situation and will use many characteristics to take advantage of you as the victim. One might even use humor as a tactic to build a sense of trust in a certain situation. The goal of social engineers is to create a calm, relaxed environment that puts their victims at ease in order to take advantage of them.
These are some of the typical traits of a social engineer:
- People Skills
With a mix of these traits and non-verbals to manipulate their situations, social engineers can be a deadly threat to your personal and employee safety. The social engineer will try to create a plausible situation that is believable and apply pressure to create a sense of fear, anger, indignation, or shame and lure a victim into the compromising situation.
How can you protect yourself?
Fighting against social engineering requires due diligence, because oftentimes a social engineer will rely on your heightened emotion and the feeling that you must act now. What does it take to prepare employees and individuals to easily identify and thwart social engineering attacks? Training and awareness are the two best ways to fight social engineers and develop a zero-trust mindset. Training that doesn’t provide employees a continuous learning environment or reinforcement will result in this type of attack being successful. Your goal is to make yourself and your employees more cyber aware.
Here are some key areas to focus on to protect yourself:
- Avoid revealing personal information or credentials inside of an email or phone call.
- Avoid downloading attachments from unknown senders.
- Avoid clicking on links inside emails or text messages from unknown senders.
- Secure and shred all documents containing private or sensitive information.
- Organizations must, on an employee/personnel level, establish frameworks of trust. (i.e., When/Where/Why/How should sensitive information be handled? “Data Classification”).
- Organizations must establish security protocols for the people who handle sensitive information. (i.e., Paper-Trails for information disclosure and/or digital breadcrumbs)
- Organizations must implement strong password policies. (Multi-Factor Authentication)
- Organizations must implement anti-virus and anti-phishing defenses using multiple layers of defense. (Mail Filtering and Client-Side Anti-Virus)
- Always be mindful: Stop and think before you click!
In A Nutshell
Social engineering can take many forms: phishing emails, fake sites, and impersonation. If the features of these techniques make them an art, the psychological insights that inform them make them a science. To be able to prevent and mitigate against social engineering attacks, one needs to be able to identify them. Understanding the patterns and progress of social engineering attempts is essential. The best way to deal with this type of cyber threat is to report anything unusual, and if somebody or something is setting off a warning in your mind, don’t ignore it. It may be a problem that could affect others.
Training and awareness are the two main ways to learn about and prevent these types of attacks and their impacts. The best way to stay cyber secure is to learn about types of threats and be more proactive to prevent them. You can make a difference both at work and at home by helping others learn about the cyber threat actors and their capabilities.