CBI Blog

Why Social Engineering Should Concern You

social engineering

In the cybersecurity world, you’ve learned about setting up a recovery plan, adopting specific ITIL and NIST guidelines—even the possibility of hacking cars by intercepting the car’s CAN system. However, what if the greatest vulnerability isn’t in the technology but it’s you? With that being said, meet one of the biggest cybersecurity concerns, social engineering, as it’s on the rise with over two-thirds of hacking using social engineering techniques. What makes social engineering so dangerous is the way it’s carried out. The perpetrators are more like con artists than your typical hacker; they’re targeting people, not software. It’s a twenty-first-century style con, doing things like lying over social media so you’ll divulge personal information or dropping an infected USB strategically so someone (out of curiosity) can upload the malware.

Learn exactly why these types of attacks can be so dangerous and successful. Plus, how to protect yourself from these masterminds, making what social engineers perceive to be your biggest weakness—you—your strength.

What’s Social Engineering?

social engineering

Think of social engineering as the larger category that includes baiting, phishing, spear phishing, pretexting, and scareware. Pretty much any type of cyberattack that preys on your vanity, impressionable qualities, and greed. In other words, it exploits your humanness.

Some examples of social engineering include a Twitter follower asking you if you could spare a couple of minutes and check out his/her blog—aka click on a link. It could also be believing your computer’s been infected with a virus, except it’s not. It’s only when you receive a call or (innocently) call the hackers yourself, installing the “anti-virus software” (actual malware) to your laptop. Both of these examples exhibit a level of manipulation—example one leverages your helpfulness; example two takes advantage of your fear.

Social Engineering to Be on the Lookout For

Here are 4 common social engineering attacks and what you can do to protect yourself.

1. Spear Phishing

Spear phishing is like phishing, only more specific and sinister. With this phishing attack subset, cyber attackers target a specific individual or organization. The hacker is looking at gaining specific information such as the victim’s credentials. They nearly take on a silent cyber stalker status, as attackers learn as much detail as they can about the victim as possible—birthday, friends, even places they frequent and what they like to purchase. They then send out a personally attractive message via email or social media.

For instance, if the victim frequently purchases online baseball memorabilia, you can bet there’s an email resembling a friendly company letting the victim know of a (non-existent) 24-hour sale he/she can gain access to by clicking the (infected) link. Since people, in general, are inundated with online marketing ads, this will most likely fly under the radar. Attack successful.

How Can You Protect Yourself?

Use steadfast phishing methods such as checking for overly vague statements, especially if such information is coming from a “friend.” It’s harder to apply this to business advertisements. Instead, make it a rule not to click on any advertisement links in emails; plus, type the sale and company in a search engine to verify it’s legitimate. This will reduce your chances of falling prey to phishing attacks.

2. It’s as Simple as Walking Through the Door

Otherwise known as tailgating (minus the rallying for your football team), this type of attack shows how simple and dangerous social engineering is; disguised as a delivery driver or IT servicer, the attacker literally walks through the front door.

All it takes is a “hey, hold on for a minute”; you hold the door out for “UPS,” and that’s it. The attacker now has access to restricted areas, and can gather valuable pieces of sensitive information. This type of attack is more successful with mid-level companies versus large corporations, as larger businesses tend to require a scan card to gain entrance.

How Can You Protect Yourself?

A major part of protection boils down to communication with the delivery company you work with. Ask for the delivery driver’s name and “badge number” (or equivalent) as well as the name and identification number for the driver that would fill in. You can do the same for any other type of service company, be it IT or even catering.

3. Baiting

You walk into a café; have a seat, and notice a CD lying on the table. Out of curiosity, you insert it into your laptop—bam, baiting attack successful. Baiting, as its name suggests, involves some type of bait—CD or USB. Using curiosity, the attacker lures the “fish” (aka intrigued individual) to open it, in which case the device becomes infected. 

How Can You Protect Yourself?

Don’t open CDs or USBs—it’s not worth it. Instead, discard them. Enough said.

4. Phishing

With phishing scams, scammers send an email with an infected link in it. Usually, there’s some type of enticing email header in it like “Last Day for Insert-Expensive-Item Sale!!” The goal is for the victim to click on the infected link.

How Can You Protect Yourself?

Take note of any suspicions (i.e. unusually vague tone and hyperlinked text). Even one of these factors is reason enough to call the sender to verify the email.

You are Your Biggest Asset

social engineering

As we’ve mentioned, social engineers prey on human vulnerability—curiosity, vanity, greed, helpfulness, you name it. Turning your own vulnerability into an asset destroys social engineering. You can do this by using “humanness” and cyber technology in your cybersecurity defense. For this to work though, you need to utilize both, not one or the other.

For example, you can use spam filters (technology) as your first line of defense against phishing attacks. For those “lucky” spam emails that manage to make it through, read over them taking note of anything suspicious—symbols replacing standard letters, vague sign-offs, and too-good-to-be-true statements.

CBI Can Help

CBI, for Cyber Security Solutions offers pen-testing and white hat hacking so you can fortify your cybersecurity defense. For more information regarding social engineering, look to our blog, resource section, and/or contact us.

CBI Cyber Security Solutions

Team CBI

CBI manages IT security risk and helps ensure your data is secure, compliant and available. No matter your industry our Subject Matter Experts, tailored assessments and custom solutions help safeguard your organization’s information. Our proven process allows you to prepare, manage and navigate issues that can damage your business and reputation.