Social Engineering: Types & Prevention Techniques

 Social Engineering, unlike common hacking methods such as brute-forcing, cross-site scripting, or keylogging, instead uses a variety of psychological, informational, and behavioural techniques in order to access an organization’s information by exploiting a company’s weakest link - its employees. It’s also the underlying technique used to implement some of the most common methods of attack such as phishing and ransomware.

Verizon’s 2020 Data Breach Investigations Report ranked Social Engineering attacks as the 2nd highest cause of data breaches. These attacks have been rising over the years due to the relative ease of execution and lack of technical knowledge needed.




The top most common Social Engineering attacks:

1. Pretexting

The practice of impersonating or fabricating an identity in order to obtain sensitive information from a target. Pretexting works by building a false sense of trust with a target so that they can gain access to company information down the road. Cybercriminals tend to impersonate HR officials so it is very important to always verify the identity of the person you are speaking with before disclosing information.

2. Tailgating

Tailgating is the physical act of a malicious actor following a person with access or credentials into a private location in order to obtain private information. Tailgaters may be dressed like a delivery driver or employee in order to bypass suspicion when entering a building. Another example of tailgating is when someone strikes up a conversation with an employee in order to follow them into their place of work. If this happens to you, be sure to check their credentials to ensure they are allowed to be there.

3. Quid pro quo

Includes offering an incentive such as prizes in exchange for sensitive information. A common example of a quid pro quo attack is when an adversary contacts an employee offering free IT support in exchange for login credentials.

4. Baiting

Includes leaving or gifting (fabricating a scenario such as a contest) a physical device such as a USB flash drive, a digital music player, or other device infected with malware, delivering a malicious payload when the target plugs in the device. Cybercriminals have been known to leave CDs in public areas in hopes that employees find and launch them out of curiosity.

5. Phishing

Website or communications that mimic the appearance of official companies or personnel to steal credentials and sensitive information from an organization’s employees. Phishing attacks are carried out in a variety of ways such as through email, call, or even on a website. Given that identical messages are sent out in most phishing attacks, you can verify their legitimacy by asking co-workers if they received the same message. If the message came from an unknown source and was sent to your entire company, it is likely a phishing campaign.

Signs of a Social Engineering attack

Uncommon or suspicious URL strings

Check the URL in the web address bar. Sometimes the brand is misspelled, has extra characters after ‘.com’, or has a different country extension (.ru instead of .com). This can be a sign of an illegitimate site.

Strange spelling, grammar, and capitalization

Non-English speaking hackers may be using translation services to create copy designed to steal your credentials. While mistakes can sometimes occur in legitimate websites due to oversight, consistently bad grammar or incorrect spelling combined with a suspicious URL is a dead giveaway of a phishing site.

Strange branding/messaging

Hackers sometimes alter a brand’s copy or messaging in order to obtain the required information from you. Look for subtle changes or odd requests in the site’s copy along with suspicious URLs.

Tips for avoiding Social Engineering attacks

As Social Engineers look to manipulate human behaviour, it is important that you stay alert for any suspicious documents or out-of-character emails from company officials. Following these tips can help you ensure that you stay vigilant to Social Engineering attacks.

  • Never provide credentials to anyone, online or on the phone: Social Engineers will try to coarse you into disclosing credentials so it is important that you only share personal information with trusted sources.

  • Double-check file extensions. If a ‘PDF’ ends in .exe, it’s likely malware: PDF files will always end in .PDF. If a file does not, then there is most likely a malicious payload attached to the file.

  • Be vigilant in verifying website authenticity: Check for security indicators such as HTTPS and the Google padlock icon. Additionally, take time to verify a website’s domain is legitimate before entering personal information. This can be done by analysing the subdomain and top-level domains in a URL for out of place characters. Double-check and verify that emails are coming from the right person: Titles, positions, and even email headers can be fabricated with an out-of-band communication method, such as a direct phone call or in-person communication.

  • Implement a ‘least-privileged’ policy: Limiting network access by employee duties can help to bolster network security and combat insider threats. When employees only have access to the parts of the network they need to do their job, you can localize breaches and reduce the impact of an attack.

Comments

Post a Comment

Popular posts from this blog

Credit Card Payment Fraud & How to Avoid Theft

Image
Security and compliance often appear to go hand-in-hand these days. Problematically, many companies start with compliance then reverse-engineer security in a nearly futile attempt to protect data. In the payment card industry, the Payment Card Industry Security Standards Council (PCI SSC) established PCI Data Security Standard (PCI DSS) which sets the “gold standard” for compliance. Meanwhile, despite meeting the compliance standard, cardholder data (CD) remains a  primary target for cybercriminals . By understanding the seedy underbelly known as the Dark Web and the way Cybercrime-as-a-Service (CaaS) works, merchants and payment card processors can better secure CD from fraud and theft. What is payment card fraud and why is card information so valuable? Payment card fraud, also known as credit card fraud, is defined as the unauthorized use of a credit card, debit card, or similar payment tool. Cybercriminals often fraudulently utilize payment data to steal money or property from their
Read more

Internet Safety Rules

Image
  Most of us rely heavily on the internet to enjoy social media, online education, remote work, and all sorts of entertainment. So, CYBERCLICK is sharing some information about " Internet Safety Rules " .   Rules To Be Followed: 1.  Keep your confidential data offline Identity theft cases made up the biggest single category of  crimes reported to the FTC in 2020 .     But cybercriminals cannot access or steal your personal information if it’s nowhere to be found on the internet.     That’s why some data — such as your Social Security Number — should just never go online. However, when you still have to share it, be sure to send it as an email attachment and   encrypt the file   before sending.   2. Check a website’s reliability As of January 17, 2021,  Google had registered more than 2 million phishing sites . But how do you tell a reliable site from a fishy one? First, look at the address line: It should have a little padlock at the beginning — this means the connection is
Read more

Spam and Phishing

Image
  Malicious Email A malicious email can look just like it comes from a financial institution, an e-commerce site, a government agency or any other service or business. It often urges you to act quickly, because your account has been compromised, your order cannot be fulfilled or there is another urgent matter to address. If you are unsure whether an email request is legitimate, try to verify it with these steps: Contact the company directly – using information provided on an account statement  on the company’s official website or on the back of a credit card. Search for the company online – but not with information provided in the email. Spam Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email. Here are ways to reduce spam: Enable filters on your email programs:  Most internet service providers (ISPs) and email providers offer spam filters; however, depending on the level you set, you may end up blocking emails you want. It’
Read more