What is Social Engineering?
How your online profiles can be used against you.
How your online profiles can be used against you.
With the wealth of information about business and people available online, it is little wonder that criminals can and do use it for malicious purposes.
These malicious individuals—as well as rival companies and even foreign intelligence agencies—can use information found online to learn more about a target – such as a specific person that could provide a pathway into a corporate network. This method of collecting information is known as reconnaissance and is used for social engineering and phishing attacks.
Social Engineering is the subtle art of human manipulation in order to control and change the actions of others. It is a method used by hackers to manipulate people into giving up sensitive information, such as passwords or bank details. These methods are effective as they take advantage of most people’s natural inclination to trust.
Surprisingly, it is a lot easier to trick someone into giving up their password than it is to hack it. You are particularly vulnerable if you:
The best defence against social engineering attempts is education.
Pretexting
Attackers create a fabricated scenario to trick their victims into giving up personal information.
Quid pro quo
A good example of this type of social engineering is a scam where someone claiming to be from a an IT service provider (or similar) calls asking for details. The fraudsters often promise a quick fix to an issue in exchange for the victim disabling their antivirus program and for installing malware on their computers that assumes the guise of software updates.
Baiting
Criminals often take advantage of people’s inherent desire for free stuff. Baiters will offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Tailgating
Social engineering also employs physical tactics as well as cyber ones – the best example is tailgating. This is where someone who lacks proper security clearance follows an employee into a restricted area.
While there are a range of online platforms where your information could be listed, social media profiles, in particular, leave us exposed to hostile or nefarious acts, as they reveal both personal and professional information that can be exploited and used to plan cyber-attacks, or in some cases physical attacks. Take a look at our blog post on how we test for cyber and physical vulnerabilities.
A hacker’s job is made a lot easier if they have certain details about a network and its users; by using reconnaissance techniques on online profiles, company websites or blogs, the hacker can learn employee job roles, contact details and addresses. For example, with the right information (i.e. a corporate email address) a cybercriminal could launch a spear phishing campaign to gain access to an organisation’s system.
Review your privacy settings on social media
Ensure that you set the security settings correctly—never have your profile be public—ideally it should be set to friends and family only.
Be careful about what you share
Set up a social media specific email address
Set up a separate email account to register and receive email from the site. That way if you want to close down your account/page, you can simply stop using that email account.
Use a strong password
Always use strong passwords that have no relation to any of the content on your online profiles. For more tips on passwords, take a look at our post on password hygiene.
Use antivirus
Ensure that you have up-to-date antivirus/antispyware software installed.
Slow down
If an email conveys a sense of urgency, or uses high-pressure sales tactics, always be sceptical because chances are that a criminal is trying to trick you into giving up your information.
Be aware of your surroundings
On the physical side of things, always be aware of your surroundings. If you don’t recognise someone do not let them into your building, scammers often rely on people being polite (holding doors open etc.)
Research the facts
When receiving an email containing links, do not click on them as they may not be legitimate, and you should always be wary of unsolicited messages. Even if an email looks like it is from a company you use (or have used), do your own research. For example, use a search engine to go to the company’s site, or a phone directory to find their phone number.
Delete any request for financial information or passwords
Any message asking for personal details is a scam.
By educating people on the threats posed by social engineering, the threat can be reduced significantly. Knowing what looks suspicious, what not to click on and keeping sensitive details secure could save an organisation a huge amount of money in the long term.
If you would like to educate your organisation on social engineering and phishing, talk to us about how we can help. Our team of cyber security experts can provide a range of training and services that can help defend your systems, reputation, and bottom line.
Contact us to start a discussion.
Everything that I have learned about the US elections this year has been against my will. Don't get me wrong, I am well aware that whoever controls the White House has significant impact around the world, and I will admit that keeping up with American politics makes me a better analyst.
Digital threat intelligence helps us respond to harmful entities and their activities online. As our professional investigation capability evolves, so do the online tactics of threat actors themselves, in something of a perpetual cat and mouse game.
I don’t think many people have escaped the devastating news about the recent hurricanes that have hit the US in recent weeks.