Social engineering is a term that covers a wide variety of attacks that leverage human vulnerability in order to gain access to sensitive information.
With the risk of being targeted by social engineers growing greater by the day, it’s important that each of us fully understand the different types of social engineering attacks and how best to avoid them.
How do Social Engineering Attacks Work?
Whether we like to admit it or not, we’re all creatures of habit.
Modern life is an almost constant blur of mundane tasks and activities. Naturally, we all want to find the easiest and fastest way to get those tasks done.
Unfortunately, that often means that we’re lax about security.
Simple things, like using the same password across multiple accounts or giving an unknown service access to your accounts without questioning them, can make your life easier, but it leaves the door wide open to social engineers.
Social engineers find the gaps in our security habits and utilise emotional manipulation techniques to access our sensitive information.
Social Engineering Techniques
Many cybercriminals keep scrounging the dustbins and other garbage areas, looking for information and other sensitive data about users that may have been discarded. People usually throw away many papers such as invoices, receipts, or notes containing sensitive information such as financial information, SSN’s, passwords, etc. This information, when collected by someone with malicious intent can then be used to further build a dossier to perpetuate a more serious attack.
To avoid having sensitive data compromised by dumpster diving, use Secure bins or shredders whenever possible to discard of hard copies of sensitive or potentially sensitive information.
Shoulder Surfing can be defined as the act to acquire personal or private sensitive information through direct observation. This social engineering technique involves looking or peeping over a person’s shoulder gathering relevant information about the victim of the attack. It is done not only by humans but also by cameras strategically placed within the room.
Attackers can shoulder surf anywhere people open their computer to do work. It could be such places as coffee shops, airports & airplanes, hotel restaurant/bar, or an outdoor seating area just outside the office.
It is recommended to avoid displaying sensitive information on your computer screen when in a public place. If this is unavoidable and regularly occurs, screen protectors can also be used which blurs the screen unless you are looking from directly behind the screen.
The aim of tailgating (also known as piggybacking) is to gain access to an unauthorised area. Typically, this is achieved by an unauthorised person following closely behind an authorised individual and getting the authorised individual to give them access.
What Social engineers rely on is people’s natural instinct to be helpful. If entering a restricted access area and someone tries to follow you in, kindly ask if they can swipe their badge. If they refuse, notify onsite security or a manager.
Smishing is a form of phishing in which cybercriminals send text messages from purportedly trusted sources to dupe victims into clicking a malicious link or requesting some sort of response.
Posing as banks, government agencies, co-workers or even friends or family, fraudsters deploy social engineering techniques to trick victims into handing over bank details, login credentials, Social Security numbers, and other sensitive information.
There are very few controls available to prevent this type of attack. As of now, the best thing to do is be diligent in scrutinizing texts from unknown numbers, and using your devices built-in features to block the number.
How to Defend Against Social Engineering
Be suspicious of unsolicited phone calls, visits form strangers, sms messages or email messages from individuals asking about yours or others sensitive and personal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
If you are unsure whether an email request is legitimate, try to verify it by contacting the company via a known approved contact method.
Be sensitive to the information that you post about your personal life publicly on Social Media.
Enable multi-factor authentication for all your accounts and change important credentials regularly.