Cybersecurity is a crucial consideration for organisations all over the world – and according to a survey from industry experts, the Ponemon Institute, 7 out of 10 organisations say their security risk increased significantly over the course of 2017.
2017 was a landmark year for the existential threat cybersecurity poses to our society.
WannaCry, the ransomware that crippled businesses across the globe, was facilitated by businesses failing to update their copies of Windows XP.
But away from ransomware, viruses and similar threats our society is particularly vulnerable to social engineering attacks. It is an attack vector that is overlooked in favour of the flashier threats.
In this blog post, we’ll explain what social engineering is, what it can do and share our top tips, on how you can counter its threat.
What is social engineering?
Social engineering is the psychological manipulation of people, to get them to do things or reveal secret information. Essentially, it is a scam tactic, not so dissimilar to cons popularised in films such as Dirty Rotten Scoundrels.
Common themes around social engineering attacks, involve exploiting the targets trust. This can be through something physical, like a USB stick or by asking for information over the internet, imitating people the target knows, or even, asking recipients to download some sort of file.
Some social engineering attacks are so sophisticated that it is extremely difficult to tell the difference between a scam and a legitimate message.
No doubt, you will have encountered some sort of social engineering tactic at some stage in your life – whether it is at home or at work.
Social engineering in pop culture
James Veitch, a British stand-up comedian, produced one of the more memorable TED Talks with his seminar –
In it, Veitch showcases a series of emails he exchanges with a fraudster from Nigeria. In the emails, the fraudster is attempting to extort money for an imaginary investment.
While the session is entertaining, it illustrates the dark underbelly of the internet and how it is key to check the source of every single email and to carefully consider the context of what it is you’re replying to.
Social engineering doesn’t just cover emails. In fact, a whitepaper titled – Users Really Do Plug in USB Drives They Find – demonstrates a growing trend.
Researchers scattered 297 flash drives, loaded with dummy malware, across a large university campus. They tested whether people pick the device up and plug it into a computer without checking its contents first.
The results were staggering. The first device was connected to a computer six minutes after it was dropped, and overall, the test had a success rate of 45%.
Tips for preventing social engineering attacks
There are thousands of different social engineering scams in circulation. To go through them all would take far too long, so we’ve designed our tips to encompass scams as broadly as possible:
#1 – Take a minute, slow down
Spammers want you to act instantly, instead of thinking at the time. Usually, spam messages will convey a sense of urgency. In these instances, always try to remain objective and sceptical.
Take care and time to review everything in an email to ensure you’re not falling for a scam.
#2 – Never surrender sensitive information
If someone is asking you for passwords, bank details or other personal information, never surrender this data.
Only divulge this information on a secure channel, such as a website with a valid SSL certificate – for instance, ecommerce websites such as Amazon or eBay.
#3 – Secure your devices
Install the latest anti-virus, firewalls and email filters across all your devices, including your mobile phone. You should prioritise operating system updates and set them to automatically update – so you don’t miss a single one.
Finally, make sure all your security software is up-to-date with the latest definitions and threats – that way you’ll be able to tackle problems as they arise.
#4 – Treat downloads with care
Whether it is an attachment to an email or a download from a website, take care when downloading files. Often, it is emails sent from people we don’t know personally that contain malicious files.
If you get an unsolicited email with a file attached, don’t download the file, instead, run anti-virus checks on the file to verify its authenticity. Anti-phishing tools also go a long way to securing yourself from the threat of viruses and malware.
#5 – Check links
Some scammers create sophisticated look-a-likes of real websites, all while making the links within an email or message seem genuine.
Make sure you double check links before clicking on them, right click any embedded link and paste the URL into Notepad. Does the link correspond with what you’re trying to click onto? Often, URLs for malicious sites won’t look familiar.
#6 – Set your spam filter to high
Whether you’re using Microsoft Outlook, Gmail or some other program, make sure your spam filters are set to high.
Typically, these settings around found in the settings portion of your favoured email client. Just make sure you check the spam folder when you can to make sure nothing legitimate has slipped through the cracks!
#7 – Never use the same password and change frequently
We know how tricky it can be to remember passwords for your online banking, work email, social networks and other accounts.
Most people use the same password for everything, but if your password were to be compromised by a hacker, one of the first things they’ll do is try your login details on another site. This is because most people use the same password for everything.
Don’t do this, keep each password for each site unique. Use a combination of letters, numbers and special characters to ensure it’s tough to crack your password.
Do you have any tips to share?
At Wax Digital, as a leading SaaS eProcurement provider, we take data security very seriously, and as such, our IT team employs the latest techniques and technologies to secure our systems.
But, we’re always on the hunt for new knowledge, and to that end, do you have any tips you’d like to share with us?