What is social engineering? Social engineering is the act of psychological manipulation of people into performing specific acts (breaking normal security procedures). It is used in over sixty-six percent of all attacks by hackers whether it’s warranty exploitation or attempting to breach company data. According to the FBI, social engineering scams have cost U.S. businesses 1.6 billion since 2013. A couple types of social engineering attacks are called phishing and pretexting.
Phishing, one of the most popular types of social engineering attacks, are attacks that consist of an email that seems harmless. Email contents usually consist of links that lead to malicious websites and viruses or posing as an employee or someone with access to sensitive data.
Pretexting is another type of social engineering attack, where an individual lies to obtain sensitive information. For example, the thief pretends to request for information in order to confirm the identity of the person they’re talking to.
Over the last couple months Netflix customers have been receiving phishing emails from an unidentified sender alerting them that their billing information was not valid and that they would need to update their information. Upon clicking the hyperlink to do so, they would log into a recreated fake Netflix website, and then enter their billing information which would give them access to their credit card numbers. Emails like this should be deleted immediately, or else you risk your personal information/credit card details being compromised.
People are the weakest security link. Employees need access in order to their job, which instantly marks them as high value targets to cyber criminals trying to gain access. Here are some tips to prevent your business from being a victim to social engineering.
- Train/educate employees: Giving employees basic training will make them aware of potential attacks and will ultimately prevent any future attacks they encounter
- Use common sense: Do not open attachments in emails you’re unfamiliar with/ or has an unverified sender, check for spelling errors or anything unusual that would raise suspicions
- 3rd Party Testing: Have an outside party conduct a social engineering test on your company. These tests can help determine whether your company is prepared to defend itself against attacks and if employees need further training.
- Anti Virus Software: Install anti-virus software, firewalls, and email filters to reduce some of the attacks.
- Valuable Assets: Identify the most valuable assets in your company and focus on protecting them
Complete prevention isn’t realistic, but following these tips will certainly increase your companies’ chances of defending itself against a social engineering attack.