Social Engineering
Social Engineering
Social engineering is a term that
describes a non-technical kind of intrusion that relies heavily on human
interaction and often involves tricking other people to break normal security
procedures.
Social engineering is the art of
manipulating people so they give up confidential information. The types of
information these criminals are seeking can vary, but when individuals are
targeted the criminals are usually trying to trick you into giving them your
passwords or bank information, or access your computer to secretly install
malicious software that will give them access to your passwords and bank
information as well as giving them control over your computer.
Sun Tzu.“If you know the enemy and know yourself you need not fear the results of a hundred battles”
Criminals use social engineering
tactics because it is usually easier to exploit your natural inclination to
trust than it is to discover ways to hack your software. For example, it is much easier to fool
someone into giving you their password than it is for you to try hacking their
password (unless the password is really weak).
Common social engineering attack
Email from a friend.
These messages may use your trust and curiosity:
* Contain a link
* Contain a download
These messages usually have a scenario or story:
The message may explain there is a problem that requires you to verify of information by clicking on. The message may notify you that
* You are a winner
* May ask for help.
* Creating a hostile situation
* Get a Job There
The threat of social engineering is real
* 97% of security professionals and 86% of all IT professionals are aware or highly aware of this potential security threat* 43% know they have been targeted by social engineering schemes
* Only 16% were confident they had not been targeted by social engineering, while 41% were not aware if they had been attacked or not
Financial gains are the primary motivation of social engineering
* 51% of social engineering attacks are motivated by financial gain
* 14% of social engineering attacks are motivated by revenge
Social engineering attacks are costly especially in large organizations
* 48% of large companies and 32% of companies of all sizes have experienced 25 or more social engineering attacks in the past two years
* 48% of all participants cite an average per incident cost of over $25,000
* 30% of large companies cite a per incident cost of over $100,000
New employees are most susceptible to social engineering techniques
* New employees (60%), contractors (44%), and executive assistants (38%) are cited to be at high risk for social engineering techniques.
Lack of proactive training to prevent social engineering attacks
* Only 26% of respondents do ongoing training 34% do not currently make any attempt to educate employees, although 19% have plans to.
Prevention
Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
Don’t let a link in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) have become rampant. Once they control someone’s email account they prey on the trust of all the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
Don’t let a link in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) have become rampant. Once they control someone’s email account they prey on the trust of all the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
Foreign offers are fakes. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
Set your spam filters to high. Every email program has spam filters. To find yours, look under your settings options, and set these high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.
