top of page
Powerful Computer

Social Engineering Attacks

Some helpful tips...

As an end user, you have a responsible yourself to monitor your own activities.  

 

Some Quick Tips to Remember:

  1. Think before you click. Attackers employ a sense of urgency to make you act first and think later in phishing attacks. When you get a highly urgent, high-pressure message, be sure to take a moment to check if the source is credible first. The best way is to utilize another method of communication different from where the message is from - like texting the person to see if they emailed you an urgent message or that was from an attacker. Better be safe than sorry!

  2. Research the sources. Always be careful of any unsolicited messages. Check the domain links to see if they are real, and the person sending you the email if they are actual members of the organization. Usually, a typo/spelling error is a dead giveaway. Utilize a search engine, go to the company’s website, check their phone directory. These are all simple, easy way to avoid getting spoofed. Hovering your cursor on a link before you actually click on it will reveal the link at the bottom, and is another way to make sure you are being redirected to the correct company’s website.

  3. Email spoofing is ubiquitous. Hackers, spammers, and social engineers are out to get your information, and they are taking over control of people’s accounts. Once they gain access, they will prey on your contacts. Even when the sender appears to be someone you are familiar with, it is still best practice to check with them if you aren’t expecting any email links or files from them.

  4. Don’t download files you don’t know. If you (a) don’t know the sender, (b) don’t expect anything from the sender and (c) don’t know if you should view the file they just send you with “URGENT” on the email headline, it’s safe not to open the message at all. You eliminate your risk to be an insider threat by doing so.

  5. Offers and prizes are fake. I can’t believe I’m still saying this in the big year of 2018, but if you receive an email from a Nigerian prince promising a large sum of money, chances are it’s a scam.

 

Five Ways to Protect Yourself:

 

1. Delete any request for personal information or passwords. Nobody should be contacting you for your personal information via email unsolicitedly. If you get asked for it, it’s a scam.

 

2. Reject requests for help or offers of help. Social engineers can and will either request your help with information or offer to help you (i.e posing as tech support). If you did not request any assistance from the sender, consider any requests or offers a scam. Do your own research about the sender before committing to sending them anything.

 

3. Set your spam filters to high. Your email software has spam filters. Check your settings, and set them to high to avoid risky messages flooding into your inbox. Just remember to check them periodically as it is possible legitimate messages could be trapped there from time to time.

 

4. Secure your devices. Install, maintain and update regularly your anti-virus software, firewalls, and email filters. Set your automatic updates on if you can, and only access secured websites. Consider VPN. 

5. Always be mindful of risks. Double check, triple check any request you get for the correct information. Look out for cybersecurity news to take swift actions if you are affected by a recent breach. I recommend subscribing to a couple of morning newsletter to keep you up to date with the latest in InfoSec like Cyware or BetterCloud Monitor. If you are a podcast person, Decrypted by BloombergDIY Cyber Guy and Reply All offer easy to digest information and news that’s very user-friendly.

 

What is social engineering?

 

 

 

 

 

As technological defenses become more robust, cyber criminals are increasingly using social engineering techniques to exploit the weakest link in the security chain: people.

Social engineers use a variety of means – both online and offline – to con unsuspecting users into compromising their security, transferring money or giving away sensitive information.

According to Proofpoint's 2019 report, The Human Factor, 99% of cyber attacks use social engineering techniques to trick users into installing malware.

This page outlines the different types of social engineering threats targeting your organisation and explains how to defend against them.

Phishing

The most common form of social engineering attack is phishing.

Phishing attacks exploit human error to harvest credentials or spread malware, usually via infected email attachments or links to malicious websites.

Types of social engineering attacks:

Angler phishing

Angler phishing is a specific type of phishing attack that utilises social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts.

BEC (business email compromise)

BEC (business email compromise) scams are a type of phishing attack in which fraudsters trick people into handing over money or corporate data. Unlike most phishing emails, they are highly targeted.

Pharming

Pharming attacks redirect a website’s traffic to a malicious site that impersonates it by exploiting system vulnerabilities that match domain names with IP addresses.

Spear phishing

Spear phishing is a form of email attack in which fraudsters tailor their message to a specific person. Spear phishing is more challenging to detect than regular phishing scams because the fact that they are explicitly addressed to the target assuages suspicions that they are bogus.

Tabnabbing/reverse tabnabbing

Tabnabbing is a type of phishing attack that manipulates inactive web pages. It occurs when people click away from an open tab, allowing criminal hackers to redirect the site to a duplicate one that they control.

Whaling

Whaling is a type of phishing attack that exploits the influence senior executives have over lower-level roles, such as CEOs over financial executives or assistants.

 You can learn more about these and other phishing attacks on our phishing information page.

Other types of social engineering

There are more than phishing attacks to watch out for, however. Other social engineering examples include:

Baiting

Attackers entice victims into inadvertently compromising their security, for example, by offering free giveaways or distributing infected devices.

Diversion theft

Offline diversion thefts involve intercepting deliveries by persuading couriers to go to the wrong location. Online, they involve stealing confidential information by convincing victims to send it to the wrong recipient.

Honey trap

Attackers pretend to be romantically or sexually interested in the victim to persuade them to yield sensitive information or money.

Smishing/SMS phishing

Text messages that purport to be from legitimate entities are often used with other techniques to bypass 2FA (two-factor authentication). They might also direct victims to malicious websites on their phones.

Pretexting

An early stage of more complex social engineering attacks in which the con artist gains a victim’s trust, typically by creating a backstory that makes them sound trustworthy.

Quid pro quo

Quid pro quo attacks rely on people’s sense of reciprocity, with attackers offering something in exchange for information.

Scareware

A form of malicious software – usually a pop-up that warns that your security software is out of date or that malicious content has been detected on your machine – that fools victims into visiting malicious websites or buying worthless products.

Tailgating

A physical security attack that involves an attacker following someone into a secure or restricted area, for instance, while claiming to have mislaid their pass.

Vishing/voice phishing

Vishing is a form of targeted social engineering attack that uses the phone. Types of vishing attacks include recorded messages telling recipients their bank accounts have been compromised. Victims are then prompted to enter their details via their phone’s keypad, giving them access to their accounts.

Water-holing/watering hole

Watering hole attacks work by infecting websites that a target group is known to frequent. For instance, 2017’s NotPetya infection – believed to be a politically motivated attack against Ukraine – infected a Ukrainian government website and then spread through the country’s infrastructure.

419/Nigerian prince/advance fee scams

These cons involve scammers asking victims to supply their bank details or a fee to help them transfer money out of their country. They originated in Nigeria, and the number 419 refers to the section of Nigeria’s Criminal Code that bans the practice.

How to defend against social engineering attacks

Mitigating the threat of social engineering is a critical component of all cyber security programmes.

It requires a multi-layered approach that combines staff training with technological defences so that your employees can recognise and report social engineering attacks, and any successful attacks do as little damage as possible.

 

There are four essentials that your social engineering defences should cover:

 

1. Build a positive security culture

If you or your staff fall victim to a social engineering attack, your security team will need to act quickly to contain it. Therefore, your corporate culture must encourage victims to report incidents as soon as possible.

The last thing you want is a malware infection that dwells on your system for months because the person who inadvertently caused it kept quiet for fear of getting into trouble.

 

2. Train your staff to learn the psychological triggers and other giveaways

Social engineering attacks are not always easy to detect, so it is essential to understand the tactics they use, such as:

Masquerading as trusted entities, like familiar brands or people;

Creating a false sense of urgency to confuse victims, often by provoking them into a state of fear or excitement, so they act quickly without thinking properly; and Taking advantage of people’s natural curiosity, sense of indebtedness or conditioned responses to authority.

You should train your staff to:  Be suspicious of unsolicited communications and unknown people.

Check whether emails genuinely come from their stated recipient (double-check senders’ names and look out for giveaways such as spelling errors and other illiteracies).

Avoid opening suspicious email attachments.

Think before providing sensitive information.

Check websites’ security before submitting information, even if they seem legitimate; and

Pay attention to URLs and ‘typosquatting’ (sites that look genuine but whose web addresses are subtly different from the legitimate site they imitate).

3. Test the effectiveness of the training

Security awareness training should not be a one-off event. You should regularly test the effectiveness of the training and redeploy it as necessary.

 

For example, a simulated phishing attack – in which controlled phishing attempts target your staff – will show you how susceptible they are and how much your organisation is therefore at risk. With this information, you can retrain those who need it most, reducing your exposure.

4. Implement technological cyber security measures

As well as training and testing your staff, you should implement technological cyber security measures – including firewalls, antivirus and anti-malware, patch management and penetration testing, and access management policies.

This will help limit the number of attacks reaching your staff and minimise the damage from any successful attacks.

 Learn more about cyber security

bottom of page