Most modern human-centric data breaches involve social engineering. Learn how to protect against this kind of attack, and don’t let cybercriminals deceive you
Social engineering is the art of deceiving a user into disclosing sensitive information. Criminals exploit the natural human tendency to trust and exploit emotions such as fear, anxiety, urgency, etc. Unfortunately, social engineering attacks are frequent. Verizon Data Breach Investigation Report (DBIR) says 82% of breaches in 2022 involved the human element, with social engineering capturing many of those human-centric events.
Social engineering attacks are not only becoming more frequent but also more sophisticated. The Verizon report concluded that many attackers don’t hack into systems. They log in. This means everyone is susceptible to social engineering. Typically, it is a human who takes a wrong action, resulting in a data breach.
We have already discussed the tactics and techniques that criminals use in their social engineering attacks in our article Social Engineering as the Art of Deceiving dedicated to 2022 Cybersecurity Awareness Month. Now it’s time to talk about the ways and methods to spot criminals’ attempts to deceive you as well as the ways of protecting against them.
Social engineering attacks have different forms and methods. However, most are united by the sense of urgency, panic, and curiosity they instill in victims. Think of a situation wherein you are receiving an email from your friend when they ask you to borrow money for medical care. What will be your first reaction? You will not ignore the message because it is from someone you know and probably trust. And you definitely want to help your friend solve the health-related issue. The senders of such messages call the recipients to immediate action to extort money or share sensitive information.
Now think about an email with an urgent request from your boss or a hassled colleague. Imagine your boss is asking you for an update or critical business information. There might be messages asking you to approve a transaction for your boss. These messages require an immediate reaction and are difficult to refuse, especially if you are under pressure.
Finally, imagine you’ve got an email from an organization you implicitly trust. It may be your insurance provider or bank. Criminals often use email spoofing (a technique of forging email addresses so that it looks like a trusted source). Cases where criminals hack into employees’ email accounts and then send emails on their behalf are also not uncommon. If an email comes from your bank, you will open and read it. After all, people worry about their money, and criminals exploit this worry very often.
As we know, social engineering work as gates to malicious attack or ransomware. It exploits human vulnerability and then opens the way to your finances, personal data, or your company’s data and systems. The first step to take on the way to minimizing the social engineering threat is seeing yourself in cyber. Here are several ways that every individual should make to reduce the possibility of social engineering.
Social engineering contains a kind of “urgent” information. However, this doesn’t mean you should act without thinking. When receiving a suspicious email requesting you to share important personal information, or make certain payments, read it carefully. Validate. Then read again. Verify the information by phone when receiving emails with suspicious requests. Make no decisions before.
Look at the email’s header and check against valid emails from the same sender. Look at where the links go. Spoofed hyperlinks are easy to spot by hovering over them (do not click the link, though!). Pay attention to spelling. Reputable organizations are dedicated to producing customer communications, so an email with glaring errors is probably fake.
Not all emails are phishing. So, don’t be lazy to do your research when you receive a suspicious email from a trusted entity. One of the easiest ways is to go to the company’s official website and get in contact with a representative. They will be able to confirm if the email is official. Never trust the phone numbers mentioned in the emails. Rather, get the phone numbers from the web or company documents you might have received.
The same story works for phone calls. Does the source not have your full name or other information you’d expect them to have? If a bank is calling, they should have all of that data in front of them. Furthermore, they will always ask security questions before allowing you to take specific actions. If they don’t, the chances of it being a fake are significantly higher.
Be careful when you see a link in an email or message. You can see the actual URL if you hover over the link, but this is not a silver bullet. Your “friend” may appear to be a master of spoofing, and therefore, such links are dangerous. Also, be wary of what you are downloading. Never download files from emails or messages until you are absolutely sure they are safe and official. Download only from trusted sites, and stay away from unknown sites.
When it comes to social engineering, the price of trying to get something for free is huge. So, don’t believe those emails saying “Click on this link to get free software.” Again, it is better to research the official website of a company suggesting you a gift. If the offering is valid – it will be announced. When you receive email saying you receive a message saying you have won a lottery, though you have never played, laugh and delete that message.
Whatever specialists say about the importance of the human factor, securing devices is also necessary. Proper software and access controls would make a social engineering attack, even if successful, limited in what it can achieve. Thus, do the following:
Social engineering attacks are frequent and sophisticated. People are the main targets of social engineering, and they are simultaneously the primary decision-makers. Only people themselves choose whether to respond to the email, click on a link, or download software. Therefore, the direct way to protect against social engineering is an adequate reaction, analysis, and response to every single email or phone call.
#SeeYourSelfInCyber and watch out for any suspicious activities on your device. Feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!