You Are the Weakest Link
Although cyber security has been a hot topic for years, the average person is still very exploitable for an attacker. Whether it’s an organizational system or your own personal accounts, attackers know that people are often the weakest link in any cyber security posture. It doesn’t matter how much money you spend to defend yourself from cyber attackers if you, or someone else, will hand them access to your systems. Attackers will often avoid cyber security defenses by using psychological manipulation to trick people into giving them access to sensitive information. This tactic is called Social Engineering and it has many forms it can take.
The effects of successful Social Engineering attacks could be a wide range of things. On a personal level, you could potentially give attackers access to an account where they can make fraudulent payments with your debit card. On a business level, it could lead to a system breach where the attackers gain access to thousands of customer’s personal information. But sometimes they have the potential to be even scarier. For example, several high-profile Twitter accounts were hacked last month in a social engineering attack. Two of the accounts belonged to former President Barack Obama and former Vice President Joe Biden. Imagine what those attackers could do if they managed to gain access to President Trump’s Twitter account. They could potentially cause social or economic panic.
4 Types of Social Engineering attacks
- Phishing is when an attacker sends fraudulent emails, phone calls, or text messages to a victim while posing as a legitimate entity. This is the most common form of social engineering attack and usually incorporates scare tactics. The emails can look nearly identical to an actual email from a reputable company and will often include a link to a fraudulent web page or a malicious attachment that will inject malware onto the system.
- Pretexting is when a scammer tries to trick their target into giving them personal information under the pretext of being someone the victim can trust and has authority. For example, the attacker may claim to be representing your bank and they need to confirm your identity with a series of questions.
- Baiting is typically when attackers try to lure in victims with the promise of some item. They might promise you a free gift card if you sign up on their website, which is actually designed to steal your information. This trap can also take place physically by leaving a flash drive in a public area. Here the attacker hopes that some unsuspecting person takes the flash drive and connects it to their home or work PC, where the flash drive will automatically inject malware onto the system.
- Tailgating is when an attacker follows an authorized employee into a restricted area. Usually the attacker will impersonate a co-worker or delivery person and simply walk in behind the authorized employee. This sometimes allows them to bypass security measures because in larger organizations it is difficult to know exactly who every legitimate employee is.
Tips to prevent Social Engineering Attacks
- Don’t open emails from suspicious sources or click suspicious links. Examine the emails carefully for any sign of fraudulence. Always verify the senders email address.
- Do not connect unknown media to your devices. Finding that flash drive on the ground may not have been good luck.
- Lock your devices when you leave them unattended.
- Always be skeptical. Do not reveal personal information to strangers or people claiming to be someone you know. Turn the tables on them and verify their identity before revealing any information.
- Keep your anti-virus software updated. Many malware attacks are caused by known vulnerabilities left unpatched.
- Be mindful of the personal information you post on social media. Attackers will mine profiles for information to help them find targets.
- Do not allow strangers on the premises. If they claim to be an employee, then let them properly authenticate to gain access. If you are not sure about a delivery person, then ask a security guard to verify the delivery.