What is Social Engineering?
Social engineering is the art of tricking the users into security mistakes so they give away the confidential information. The type of information that hackers are looking for can be different, but when individuals are under attack, the hackers are usual want to trick them to get their passwords, bank information or installing malicious software into their computers.
If you ask any Security Professional about who can be a good target for hacking, you get the answer HUMANS, because humans are considered to be the weakest link and they can always be manipulate into doing some staff to open the gate for the hackers.
For Example if you put locks and deadbolt on your door and windows or if you have guards, alarm system and security cameras; if you trust the person at the gate who is claiming that he is the pizza delivery guy and you let him enter your home without proper check this is where you completely exposed to whatever risk he represents.
Types of social engineering attacks?
Phishing Attempts: The most common social engineering attacks come from phishing. In this type of attack, hackers will try to send messages via email, Instant message, comments in your social network post or even send you SMS claiming that this is from a famous business, bank, school, university in order to get your user and password or bank information.
The message can have these stories:
- The message may contain there is a problem with your bank account click the link to solve the problem and then they will ask your account credentials.
- The messages may also contain that you won a lottery.
- The message can also ask for help or charity.
- You may receive a phone call that you won 1 million Afs and asked you to send a top-up of 500-1000 afs in order to transfer that amount.
Ransomware in Phishing: In the recent years, we have witnessed a rapid usage of ransomware along with phishing email. They send you an attachment such as URGENT ACCOUNT INFO with the file extension of .pdf.zip or pdf.rar, when you open the file then the attacker will encrypts your entire hard disk or specific folder and then ask you a bitcoin payment in order to unlock, after receiving the payment, they will decrypt your hard drive or folder.
Baiting: Baiting attacks involve offering victims something they like want. These type of attacks often appears in peer-to-peer sharing sites where you can download (Hot movies, celebrities’ pictures or pirate Hollywood or Bollywood movies etc.). When you click on the download button you may be downloading malware instead of, or in addition to, the files you actually want.
Quid Pro Quo: Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example a hacker will call you and give you a free IT assistance or in exchange of login credentials.
How to Prevent Social Engineering:
- Do not open emails and attachments from suspicious sources – if you do not know the email sender or even if you know the sender and their emails looks suspicious never open email or attachment.
- Always update your anti-virus/antimalware software – Turn your anti-virus/antimalware automatic update on.
- Set your spam filters to high – Every email software has spam filter option always make a habit of setting the spam filter to high.
- Perform a regular backup to an external medium (external hard drive or the cloud). After backing up, disconnect your drive. Current ransomware is known to encrypt your backup drive as well.
- Phishing and baiting – these schemes mostly used in employment frauds targeting recent college graduates. Whether you are on social media, applying for jobs, always before you click, do your research, and visit HTTPS sites through a secure search engine, not via email or social media links.
- Reject requests for help or offers of help – Legitimate companies and organizations do not contact you to provide help.
- Delete any email, which asks for financial information or passwords – If you are asked to reply to a message with personal information, it is a fraud.
- Beware of downloading files – If you receive an email and do not know the sender personally or you know the sender and your suspicious never make the mistake.
- Humans need to be trained – Humans are the weakest link and Security Awareness Training programs are helpful to reduce the risk of being compromised and increase the level of awareness in the organization.