Don’t want to be a victim of social engineering – learn 3 ways to defend yourself
People like computers can be hacked and there is a chance that an attack on another one could start with an attempt to manipulate an employee. At one time, the media publicized a method of deceiving the elderly, eg “Granddaughter”, when someone impersonated the grandson of an elderly person and asked by phone to transfer a certain amount to a “trusted intermediary”. It is probably the most dominant social engineering technique in Poland.
Social Engineering – a special type of hacking technique in which hackers manipulate victims to obtain information about an organization or victim. It can be defined in an extremely simple way, guaranteeing the essence of this technique, as: “Persuasion to perform an action by an individual, which may or may not be in their best interest.”
The above definition may sound general, but it’s because social engineering attacks take many forms, both with the use of the computer and in the physical world. Given the above definition, it becomes clear that almost every security incident involves at some kind of social engineering.
This is because this set of techniques is based on principles instilled deeply in our subconscious and formalized in his time by Robert Cialdini:
- The principle of reciprocity: people feel obligated to pay back what they have received from others.
- Principle of commitment and consistency: people usually stick to what they have already chosen.
- The principle of social proof: people have more confidence in things that are promoted by people they trust.
- The principle of liking: People are more likely to comply with the demands of the people they like.
- The principle of authority: people follow others who seem to know what they are doing.
- The principle of scarcity: People are always attracted to things that are perceived as exclusive.
Cialdini emphasized the power of this “weapon of influence” in the context of sales and marketing, but they are equally useful in a security context where cybercriminals often use them to bypass cyber defense.
For example, hackers often try to take advantage of the principle of reciprocity with the tactic of “decline and withdraw.” When opening a conversation, the scammer asks for something extreme, such as “I would ask you to log out of your computer and leave it until tomorrow to update all systems.” When the target says “no,” the scammer will “step back” and offer him a second, more “reasonable” request, such as “Then maybe you can give me the access details and I will perform this operation outside of your working hours.” By declining the initial proposal, the target will feel compelled to reciprocate, yielding to a second, more tolerable, request by the impostor. Hackers also use the principle of authority by making phishing emails appear as if they were sent by authoritative authorities. And we should all be wary of “friend requests” from unknown but attractive members of the opposite sex, as it is very likely that this is an attempt by a cybercriminal to use the liking principle to compromise our personal data.
Other examples include:
- Phishing attacks are designed to trick unsuspecting users into clicking a link, downloading a file, or providing personal information in response.
- Phone spoofing or ‘vishing’ – Scammer connects to obtain personally identifiable information or to reset password.
- Decoy attacks involve using someone’s curiosity to trick them into something the attacker wants, such as plugging in a found USB stick, which then injects malware onto the network.
- SMS spoofing can also be used to convince smartphone users to call a number set up to collect data, steal bank account information, etc.
Anyone can fall victim to social engineering. We all have our own cognitive biases and most of the time we are not aware of them. Certain groups are particularly vulnerable, such as older people who lack technological knowledge, often suffer from a lack of interpersonal interaction and may have money and assets that are valuable to fraudsters. But age and technological knowledge alone, even in business, cannot protect people from psychological manipulation. There is no generally accepted pattern of a “typical victim” of a social engineering attack.
However, chances are you have something to fear if:
- If you have access to a secure system that stores sensitive data.
- If you are a public figure, your name and surname are known and your contact information is easy to find.
- If you are a wealthy person
- If you work in a helpdesk or call center.
- If you have any relatively valuable password protected resources on the Internet.
In short, anyone can be targeted, whether you fall into one of the categories above or not. If you are part of our modern connected world, you must be careful.
Social engineering attacks take so many forms that there are no generally explicit good practices to protect against them. Individuals and organizations must use a variety of methods and constantly improve them, and only to challenge those who use social engineering. It is worth emphasizing – NOTHING can give you 100% certainty. Well, maybe getting rid of material goods and living in a hermitage cut off from society (but what if someone likes your cave?).
The 3 most important ways to defend yourself
1. Be aware of what information you share
Many social engineering attacks are about knowing something about an intended target. And where better to gather this information than on social media?
Something as seemingly not relevant as posting a photo of your child’s birthday party gives the social engineer several attempts to ask security questions, try to enter a PIN, and guess your password. Going on vacation, talking about your favorite books and movies, discussing where you met your partner – all these things are information that you freely share with attackers when you post publicly on the Internet.
To be safe, make sure that your profile is devoid of this type of information and intended for public sharing, or blocked so that strangers cannot see what you don’t want.
2. Take care of the knowledge and awareness of your users
IT departments should be sure email filters are in place to block spam and phishing attempts, and all employees should be trained to recognize phishing and other forms of social engineering. Make sure people know what signals to watch out for.
Users should be trained to ask questions of anyone they do not recognize and to ask questions if they are in an area they usually go to, asking questions or being interviewed may be uncomfortable, but it is better to ask for answers and get to know a colleague than to be responsible for letting the hacker into the front door.
3. Policies & Procedures
Introduce rules to prevent hacking, digital or physical, using social engineering. Make sure passwords are long and complex, force users to change passwords regularly, require two-factor authentication, block users from performing certain activities outside the office, and ensure tight control of physical access tools such as RFID cards and access codes.
It may seem insurmountable in the face of potential bogus phone calls, phishing emails, slick callers, and disguised attackers, but it’s not: you just need to know what sensitive information is, control how it is shared, and be aware when something is not there.
The above methods will not eliminate your chances of being a victim of social engineering – as we mentioned, there are too many of them and new ones are still being created. However, by putting up every possible barrier to entry, you can significantly reduce your chances of being a victim: think of fighting social engineering less like plugging every possible hole, and more like making an attack more troublesome than worth it.
Social engineering works both ways – your can also surprise the attacker with your preparation and awareness.