Preventing Social Engineering Attacks
Social Engineering attacks are carried out by way of human interaction in order to obtain confidential information about an organization or an individual. Unlike many viruses that infiltrate a computer system or electronic device, this kind of attack can only be successful if the victim interacts with the malicious software or the attacker. It is much easier for the attacker to have access to personal and company information by exploiting the human element than it is to hack a computer system and search for the information.
Attackers that use social engineering attacks usually try to build a bond between themselves and victims. These attackers will pose as anyone; computer repair individuals, bank tellers, security guards, repairman or even “close friends”. They will not necessarily be targeting you, they can use any information given to them by an individual to gain access and steal information from the corporation you are working with, computer systems, database systems, and other bank accounts.
5 Common Types of Social Engineering Attacks
Phishing involves sending fake emails, websites and chats in order to acquire personal information. This information can be anything, from bank account number, account passwords, social security number or address. The attacker impersonates a reputable organization and send these fake messages to unaware individuals, in order to trick them into handing over their information. The email sent by the attacker will contain links that redirect individuals to a website set up by the attacker beforehand to capture the information they input. Messages sent may also indicate to an individual that they won prizes and have a link in the message to a website where they may collect their prize.
Tailgating or “piggybacking,” is when the attacker gains access to a company or a restricted area by following an employee. An attacker will sometimes pose as someone doing a delivery in order to gain access to restricted areas where only employees and persons with special passes are allowed to enter. Once inside, the attacker may steal valuable company information or plant a bug on a computer system to allow them to have access to the network and company databases when they leave.
The attacker carrying out a baiting attack will offer prizes, free music, free movies and paid surveys in an attempt to get users to submit personal information. These attacks can also be in the form of notifications when you visit a website that has been compromised by an attacker, for example, one might be offered a free antivirus software to clean viruses off their PC.
Another common type of baiting attack is where the attacker installs malicious software on flash drives and leave it in the open, for example in a food court or parking lot. Once someone takes that flash drive and inserts it in their computer, the malicious program will then infect the computer system. This will allow the attacker to have unrestricted access to that computer system.
Pretexting is similar to phishing scams, except that in this case the attack is done by way of human interaction. The attacker seeks to gain information under false pretense by sending fake text messages and phone calls to their victims to confirm their identity for security purposes. The attackers may pose as representatives of a phone company, a doctor’s office, bank clerks, or even management figures in large organizations.
Quid Pro Quo
Quid Pro Quo attack is the kind that promises the victims certain types of remunerations in exchange for personal information. The attackers will at times tempt their victims with online job offers in exchange for valuable information or even passwords. More often, the attackers will pose as IT repair personnel making fake calls to their victims that their computer is infected with malware or viruses and they should pay in order to have it cleaned.
5 Tips to Prevent Social Engineering Attacks
1. Keep Informed
The human element is often times referred to as the weakest link in the Information Technology field. Therefore, the first step one should take to prevent social engineering scams is to educate yourself about how the attackers go about carrying out the attacks. Take the time out to properly read the privacy statement of websites. If you are unaware about anything in the privacy statement, contact the party directly to get them straighten it out for you.
2. Do not give out confidential information
Confidential information should always be confidential and is not to be shared with anyone that it was not intended for. Delete emails requesting verification of information that you are unaware of and report it to the relevant authorities or the company that you are doing business with.
3. Keep all software up to date
Everyday new viruses and malware are developed by hackers with the sole purpose to infiltrate any system they can. Ensure that all security software and system software are up to date. Software that is kept up-to-date are more difficult to exploit that those that are outdated. It will also be very difficult for computers that are kept up to date to get infected with newer malware and viruses.
4. Educate employees about social engineering attacks
Companies should send their employees to security workshops in a bid to keep them abreast with the constant change in the information technology field and the security risks that comes with it. Employees that are educated about the cyber threats that are around are better equipped to handle themselves if they are faced with certain compromising security situations.
5. Increase the security level of email spam filters
Increasing the level of spam filter in email settings, will reduce the amount of spam mail that you receive in your inbox. This can be done with on all email programs by adjusting the spam filter settings. The only drawback to this is that from time to time you will need to check the spam or junk folder for legitimate email messages that was accidentally sent there due to the settings in place.