July 16, 2019
Social engineering is sometimes described as hacking the human mind. It doesn’t require a lot of innovative code – just enough to mimic a trusted individual or organisation with the aim of convincing the victim to act in a way that benefits the attacker.
Phishing attacks, baiting, spoofing and tailgating are all means of persuading victims to disclose confidential information, open malicious files or click on bad links. Social engineering attacks are on the rise as cyber security systems become increasingly successful at preventing direct attacks.
Cyber criminals choose instead to take advantage of every organisation’s biggest security weakness – its people – to gain access.
Spoofing an email address is relatively straightforward, enabling attackers to impersonate legitimate senders quite easily. Meanwhile, sufficient detail can be found across social media making it easier for hackers to also mimic language, tone, interests, etc.
How do they do it?
Once they have gained our trust, it’s a simple matter of asking for the action – perhaps disclosing or updating a password, or downloading a file that comes with added malware. In both cases, the attacker has an easy way in. And once they are in, they can do all the things that your employees can do – and more.
While some attacks are in and out, others can go on undetected for months, all the while siphoning off data or spying on information. By the time they are detected and booted out, the damage is done.
What can be done to protect your system from this common form of cyber crime? Here are 7 tips to help you prevent social engineering attacks.
1. Educate yourself and all employees on the types of attack out there
Most of these attacks are successful because employees don’t know what they’re looking out for. They are busy and under pressure to deliver, so they don’t stop to question an email from the boss asking for ‘urgent action’ – they just do what they’re asked.
Education around what kinds of approaches they can expect will go a long way to making sure they aren’t fooled by scam emails, phone calls, or tailgaters.
2. Never give up sensitive information
Phishing emails and scam calls will often try to persuade victims to disclose confidential information. Your employees need to know that this is never a good idea.
It might be that you need to improve protocol within your organisation as to how sensitive data is handled.
Sharing data between departments might require some additional authentication beyond a simple email request.
3. Ensure employees don’t repeat passwords
As a rule, our password behaviour is pretty poor. We reuse passwords across multiple accounts. We use common passwords that are easy to crack. We don’t change our passwords, even when we should.
New NIST guidelines address this poor behaviour by encouraging people to use passphrases and password managers, ensuring passwords are easy to remember and hard to hack. Following these guidelines should free up brain space to use a different password for every account.
NIST also no longer recommends maximum password time periods, which can make people turn to sloppy behaviours like reusing or writing down passwords.
That being said, LastPass recommends that passwords should be changed if the account is vulnerable, for example if a service has disclosed an attack, or if the password hasn’t been changed for more than a year.
4. Keep all devices and endpoints secure
Cyber security programmes can’t prevent human mistakes, but they can deal quickly with threats once they are known. Of course, this only works if you are operating best practice security on all devices and endpoints in your business. This part is within your control, so make sure you follow these guidelines on achieving cyber security.
5. Ensure employees do not disclose business-related information online
Many organisations will implement NDAs to prevent employees sharing confidential information about their business online, but still it’s unbelievable what people will post to Facebook without thinking. White hat hacker Stephanie Carruthers told HuffPost:
“Employees will often take selfies with complete disregard for what’s in the foreground or background of the picture, including passwords/sensitive information on whiteboards, computer monitors, voicemail passwords taped to their phones, etc. Also, for some crazy reason, employees post pictures of things like their paycheck.”
Again, education will help increase awareness of the dangers of these behaviours.
6. Check before you click on a link
Phishing emails will often try to direct you to a URL – which will usually end up infecting your computer with a virus. If you’re not sure if an email is genuine, here are a few things to check before you click.
- There are websites such as checkshorturl.com that will tell you the full URL. This should give you an idea of whether or not it comes from a genuine site.
- Be sceptical of any URL that includes a bunch of special characters.
- If the link comes in an unsolicited email, beware. If the email looks like it’s from your bank, for example, go directly to the bank’s website and see if you can access the page from there. If not, it is probably a scam.
7. Keep software up to date
Updates keep your system secure. It’s as simple as that. Failure to update your software can leave gaps for attackers to creep into. Any threats that arise from social engineering attacks will be harder to defeat if your system is vulnerable.
The biggest threat to business
Cyber attacks are the biggest threat to business worldwide – and with 98% of attacks using social engineering methods to access systems, we have to take social engineering seriously.
Educating employees and following cyber security best practice will help prevent these types of attacks, securing your sensitive data and ensuring that your business can thrive.
- 6 Steps to a successful cyber security improvement programme
- Types of penetration test: What’s the difference?
- Cyber essentials vs cyber essentials plus: What’s the difference?
- Human Hacking: A guide to social engineering
- INFOGRAPHIC: Malware examples: What are the different types?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.