Social engineering is a cyberattack technique that consists of exploiting people’s natural tendency to trust, as well as with credibility and lack of awareness. The goal is usually to obtain sensitive data from companies or individuals.
Companies can invest in many different tools to protect themselves against cybercrime, but the weakest point of an IT security system is usually the human being. However, social engineering experts are excellent psychologists, able to manipulate the victim and use intelligent arguments and formulations. Therefore, it is essential to be aware of the threats, importance and value of data.
There are many tips for prevention in social engineering. We highlight some of them here:
1. Phishing
The goal is to make the recipient of the email believe it’s something they need or are waiting for. The email may include dangerous links or attachments containing antivirus software. Phishing types also include: spear phishing and whaling. Think before you click!
2. Pretext
This technique uses a pretext – a false justification for a specific action – to gain confidence and deceive the victim. For example, the attacker claims to work on IT support and requests the target’s password to perform maintenance.
Proper processes, policies, and identification and authentication training must be in place to avoid these attacks.
3. Bait
The bait aims to attract the victim to perform a specific task, providing easy access to something that the victim may feel tempted to access. For example, a USB drive infected with a keylogger and identified as “Private Photos” left on the victim’s desk.
Security policies, such as blocking unauthorized software and hardware, will prevent most attempts, and you may want to remind teams never to rely on unknown sources.
4. Quid pro Quo
“Something for something” in Latin, involves a request for information in exchange for compensation. This is the case of an attacker calling random phone numbers claiming to be from technical support. Occasionally, he finds a victim he happened to need. They offer “help”, gaining access to the computer and being able to install malicious software.
5. Shoulder Surfing
This method involves stealing data (passwords or codes) by looking “over the shoulder” when the victim is using the laptop or other device (a smartphone or even an ATM). Awareness of the threat is particularly important for companies with employees in remote work, where they can use their work devices in public places
6. Tailgating
This method involves physical entry into protected areas, such as the headquarters of a company. The attacker, can impersonate a collaborator and convince the victim, who is an employee authorized to enter at the same time, to open the datacenter door using the victim’s RFID pass. Access to non-public areas should be controlled by access policies and/or use of access control technologies, the more sensitive the area, the stricter the combination. |
To prevent such attacks, there are several important aspects to consider:
Training employees in social engineering
One of the most important aspects of social engineering prevention is risk awareness. Therefore, it is essential to organise cybersecurity workshops for employees and pass on the importance of data.
Testing employee awareness
Occasionally, it’s a good idea to put employees in a real attack simulation situation. Do they lock computers when they come out? Are there any important documents on your desks? Credentials written in post-its? What will they do if an unknown number calls and impersonates someone offering services the company is looking for? Answering these questions will help ensure that everyone on the team is aware of what they can and should not do. Do exercises with the management team and key employees on a regular day. Test controls and reverse engineer potential areas of vulnerability.
Enhance multi-factor authentication
Even a strong password isn’t always enough. It is best not to rely on single-factor authentication for important data. In addition to passwords, multi-factor verification can include fingerprint scanning, authentication tokens, or SMS codes.
Currently, the best defence against social engineering attacks is the education of employees complemented with technological solutions to better detect and respond to attacks. By being fully aware of it, and taking basic precautions, you will be much less likely to become a victim of social engineering.