With ever-growing advancements in technology, security risks are rising, and cybercrime methods have become far more sophisticated and challenging to eliminate. Among some of the most notable security attack methods, social engineering may not seem to be as large of a threat, but it can still lead to grave security breaches.
Social engineering, by definition, is the “psychological manipulation of people into performing actions or divulging confidential information” (SingCERT, 2021). Due to this innately human element, it is one of the most challenging cyber security threats to combat.
Cybercriminals involved in social engineering view humans as the weakest security links instead of technical vulnerabilities and system protocols. These criminals have been leveraging social engineering techniques for a long time; however, they have become rampant over the past couple of years. Such scams continue to plague businesses with evolving technology and advancement (Forbes, 2021).
With the rise of remote working cultures, there has been a call for increased information security awareness among users. Let’s look at social engineering techniques that attackers employ to manipulate targets.
- Information Gathering: The first step is to identify a target, gather as much information as possible and select a suitable method to approach the target. With high utilization of social media platforms such as LinkedIn, gathering information about a target isn’t a difficult task, especially for cybercriminals.
- Relationship Building: The attackers first try to engage with the victim through targeted communications such as social media messages or even phishing emails with a personal touch.
- Exploitation: Leveraging their relationship, the attacker tries to gain access to the target’s sensitive information. They use phone calls and other media to trick people into handing over access to their personal or organization’s critical information.
- Execution: After they have gotten ahold of the information, they execute a carefully planned attack – this could lead to data theft, financial loss, downtime, or even permanent shutdown. They also carefully take up the painstaking task of removing any digital footprints (such as malware) to remain undetected.
- Phishing: Phishing is one of the most common types of techniques used to gain access to account credentials, sensitive data, confidential information and funds. Phishing has seen a steep increase with the recent proliferation of remote working culture and the rising popularity of cloud platforms. Modern phishing attacks are sophisticated, evasive, and rely heavily on social engineering.
How can you beware of social engineering attacks?
By nature, social engineering attacks are so targeted and deceptive that it is difficult to eliminate them at an early stage. It is also never right to blame a user for falling prey to one of these scams. After all, humans, even the most aware of us, can be tricked from time to time. It is nearly impossible to achieve the advanced level of awareness needed to defend against these attacks when the threat actors are well trained and equipped with all the needed infrastructure. The fight against social engineering attacks is a process. It requires an extensive, fully monitored, real-time security solution capable of predicting and blocking advanced emerging threats.
Organizations should use strong passwords for all accounts and be aware of the information they make publicly available online. It is best not to leave personal information on publicly available websites. If unsure, organizations can utilize third-party web services to monitor the types and amounts of discoverable personal details they have online.
Humans are not machines, but the fact remains that they can be hacked through these techniques and are bound to fall prey if left uneducated about these tactics.
Tips to follow to be secure against social engineering attacks:
- Do not open emails and attachments from suspicious sources – If an email reaches your inbox and the senders’ name/email seems suspicious, do not open the email. Mark these emails as
- spam to avoid any potential harm in the future. An organization should set alerts for emails generated outside their domain and add warnings before opening or sending emails to any foreign (other than their own) email domains. Use password managers to manage your passwords and do not have them written down or stored anywhere unsecure.
- Do not save your banking details on your corporate laptop – For easy usage, we tend to leave our card/internet banking details on e-commerce websites, shopping apps, etc. Browse through your settings and remove all stored information after making a transaction.
- Use multi-factor authentication – User credentials are one of the most valuable pieces of information a hacker can obtain. Using multi-factor authentication will help ensure the protection of your critical account if one set of credentials is compromised. Numerous multi-factor authentication tools are available that can come in handy and increase account security for your applications.
- Do not be lured in by tempting offers – If an offer sounds too good to be true, it is probably a scam. These scams are often seen on e-commerce sites where boasting of huge discounts on gadgets is quite common. It is best to look up the offers for yourself first before continuing with any purchase.
- Keep your software updated – Always keep automatic updates on or make sure to update your software manually at least once a week. Run a scan periodically to check if all updates have been installed correctly.
Social engineering attacks frequently take advantage of human behavior and are not always technical. Our mindset must shift from trust to caution, and individuals and employees must be aware of such threats to recognize and defend against social engineering attempts.
Forbes (2021): https://www.forbes.com/sites/forbesbusinesscouncil/2021/06/17/7-social-engineering-scams-that-could-affect-your-business/?sh=a87a33158682
SingCERT (2021): https://www.csa.gov.sg/singcert/Publications/social-engineering-attacks