The human factor and the social engineering
In our organization, we did all our cybersecurity’s duties. All systems and applications are up-to-date regarding IT security. Our network has several defense layers against malicious attacks. We communicated to all our well written IT policies and processes.
Well done. Seems like we can be tranquil.
Sure? Not so sure.
In that blueprint, we didn’t include the social engineering (SE) threat. But what is “social engineering”? In a short, it’s “Any act that influences a person to take an action that may or may not be in their best interest.” What does this tell us? We can use SE for the good and also for the bad. We will focus on the latter aspect.
First, we need to know how bad boys influence people. They do it via psychological manipulation. Common techniques are appeal to vanity, appeal to authority and appeal to greed. Also, they act over our altruistic desire to help. Always act with a very sense of urgency. That’s in order to not give time to think to the victim. And even can apply coercion.
The most known types of SE attacks include:
- Phishing, spear phishing and whaling: this type of SE rest basically in the sending of emails disguised as legitimate ones. Key here is they pretend to come from a legitimate source. Their aim is to get personal/financial information or install malicious code. Spear phishing is aimed to a specific group of persons, meanwhile whaling targets high-level executives.
- Pretexting: here one party lies to other in order to get any advantage from him/her.
- Impersonating: a in-person tactic, the attacker pretends to be a person with a legit purpose (repairman, inspector) to gain access to places that, otherwise, he/she couldn’t access.
- Baiting: the distinctive feature of this attack is that the attacker promises something to entice victims. It appeals to human curiosity, so the “bait” can be a physical object too.
How to defend ourselves against social engineering attacks
So, we can see that SE is a huge problem. According to a survey, 60% of enterprises were victims of social engineering attacks in 2016. They compromising both employee credentials and financial accounts. Therefore, it’s paramount to any organization to take measures to avoid that our personnel fall into these tricky tactics. Among others, we can mention:
- Think before act: Be suspicious about any email, chat or phone call not solicited that ask for personal information. Never reveal important / sensitive information over email. For phone calls, politely tell the person that you will hang up and will call back. Then, contact the alleged entity to a number searched for yourself.
- Don’t click: despite any sense of urgency, never click in a non-solicited link or file. Do not download anything from the received email or a redirected web page.
- Don’t let intimidate: always check the credentials of any person that request you something not regular, specially if he/she intimidates you imposing authority. Don’t trust in that pal that asks you to tailgate since he forgot his pass…
In conclusion, it’s always a good idea to exercise some suspicion and caution when someone requests personal/sensitive data. It will preserve you for future headaches and problems.