Humans can be the weakest link in your security. You can have all of the best software and tech implemented to protect from cyber attacks, but if a employee slips up it could be game over for your organization. While security technology can be pretty effective in warding off criminals, which is why it is often your humans who are targeted in cyber attacks.
Social engineering is the act of psychologically manipulating individuals into performing an act that could give cyber criminals a foothold into their organization.
Bad actors could be seeking login credentials, direct access to your network, or someone willing to download a malware infected file. There are many forms of social engineering that hackers utilize, but the most effective ones play off of emotion. Hackers will often impersonate either a fellow employee or person in authority in order to persuade you into taking a desired action. A bad actor may impersonate your boss and demand you give him access to certain files ASAP. In this instance the social engineer is playing off the fear of the consequences that may come if you don't act.
Direct financial loss from successful phishing attacks increased by 76% in 2022 (ProofPoint)
- Phishing - The most common form of social engineering is phishing. This is when a hacker sends out an email requesting a user to either give up information, click on a link, or download a file. The hacker will impersonate an employee, a banking company, or other organization in order to trick the individual.
- Spear Phishing - This form of phishing is more targeted than the generic form. Spear phishing targets a CEO or executive in position of power. It requires much more research and prep on the hackers side, but can yield much larger results if successful.
- Watering Hole - Cyber criminals will often create a false version of a website that you or others may often visit. You may click on this website looking to check your bank statement unaware that it is a very close recreation of the real thing. Once you enter your credentials the cyber criminals now know what you would use to access the real website.
- Scareware - One of the easiest emotions to play off of is fear. Sending you an email or inundating you with pop-ups warning you that "you're device has a virus" or "you've been hacked" can scare people into clicking whatever link or file they think will save them. Of course your system isn't actually infect, they're just trying to make you think it is.
How To Protect Yourself From Social Engineering
Unfortunately there is no silver bullet to defeating social engineering, but there are steps you can take to protect yourself and your organization from hackers.
- Don't react on emotion - If you are greeted with an email or pop-up trying to intimidate or scare you into taking an action then it's best to think before you click. Don't react out of fear or worry, but examine the request more closely to make sure it's legitimate.
- Don't click shady links - This on may seem like common knowledge, but do not click on links or download files that you think are shady or odd. If You're being asked by your boss to do something out of the ordinary or download something you wouldn't usually, double check.
- Use a spam filter - A quality spam filter can help block some of the most blatant attempt of phishing or spear phishing. While not full-proof a spam filter may help you avoid a good chunk of social engineering attempts.
- Only Verified Websites - Make sure when visiting a website that it's the correct one. Before hitting search make sure you've typed the URL correctly and haven't included any typos. Hackers will often make fake websites that look like the real thing but with a URL that's just one letter off.
It’s time to protect your organization and humans from social engineering - start with Security Awareness Training. This is not a one time deal, you must continue to remind and teach your humans.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.