How to protect yourself from social engineering?

Welcome to CyberHygiene, our weekly newsletter, where we share tips and actionable data to help everyone stay safe online.

First time seeing this? Please subscribe.

Social engineering is a technique used to manipulate and deceive people. Malicious actors exploit human psychology to gain private information, access or valuables.

Social engineering attacks usually involve a series of highly-calculated steps where con artists invest weeks or months into nurturing a slow-building relationship with their victims.

The attacks are not always related to cybersecurity. Social engineers can reach out and trick you without ever having to speak a word. Social engineering attacks work just as well in person, over the phone, on social media or via email.

1. What are the most common types of social engineering attacks?

Pretexting

Attackers focus on creating a good pretext or a fabricated scenario “that they can use to steal their victims’ personal information.” These attacks commonly take the form of a scammer pretending to need certain information from their target in order to confirm their identity.

Baiting

Baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.

Shoulder Surfing

It is the act of looking over someone’s shoulder, writing down or memorizing logins or passwords.

Watering Hole Attacks

Watering hole attacks infect popular web pages with malware to impact many users at a time. It requires careful planning on the attacker’s part to find weaknesses in specific sites. They look for existing vulnerabilities that are not known and patched — such weaknesses are deemed zero-day exploits.

Tailgating or piggybacking

An unauthorized person takes advantage of an authorized person to gain access to restricted areas. These areas have physical or electronic authentications required to gain access.

Dumpster Diving

Attackers collect information from discarded materials such as old computer equipment (e.g., hard drives, thumb drives, DVDs, CDs) and company documents that were not disposed of securely.

2. How does social engineering attack work?

Information gathering : the attacker collects information from public sources such as google and social media.
Establishing trust: the attacker contacts and tries to connect with the targeted user on a personal level.
Exploitation: the attacker gets money, access to a system, steals files, or obtains trade secrets.
Execution: the attacker performs the final goal and exits the scam.

3. How to spot social engineering attacks?

Most social engineering attacks employ one or more of the following tactics

Posing as a trusted brand
Posing as a government agency or authority figure
Inducing fear or a sense of urgency
Appealing to greed

4. How to prevent social engineering attacks?

1) Security awareness

Don’t share valuable information: Personally identifiable information (PII) with a third party. It’s important to know what data is considered PII.
Be suspicious of requests for data: Any request for data should be received with caution. Ask questions and verify the sender’s identity before complying with the request.

2) Access control policies

Use multi-factor authentication and unique credentials for all your online accounts.
Be wary of downloading free apps, files, programs, software or screensavers – malicious code, like spyware (that secretly monitors what you do online) and keystroke loggers (that secretly track what you are typing) can be hidden within the downloaded file or app and used to access personal information, such as login credentials.

3) Cybersecurity technologies

Spam filters and secure email gateways can prevent some phishing attacks from reaching employees in the first place.
Firewalls and antivirus software can mitigate the extent of any damage done by attackers who gain access to the network.
Keeping operating systems updated with the latest patches can also close some vulnerabilities attackers exploit through social engineering.

5. What do you do if you think you are a victim?

If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised.
Watch for any suspicious charges to your account. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
Watch for other signs of identity theft.
Consider reporting the attack to the police, and file a report with the Federal Trade Commission and the Federal Bureau of Investigation (FBI) IC3.