Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Social engineering attacks rely on human interaction and manipulating people into committing security mistakes or divulging confidential information. Cyber criminals use this approach because it is often easier to exploit a person’s natural inclination to trust than it is to find vulnerabilities in systems and software.
Why would a cyber criminal want to go through all that trouble of searching for weakness in the system when one of the biggest ones is just an email, text, or phone call away? It is simple to set up a secure firewall or patch a system, but there is no way to ensure that a person won’t accidentally give away confidential information. Cyber criminals know this, and use social engineering to attack the weak link.
An example of a social engineering attack is called voice phishing or vishing. What is vishing? It is a form of social engineering that is executed over the phone in an attempt to steal information. Vishing scams account for 30% of all incoming mobile calls and are designed to convince you of their authenticity. They accomplish this by pretending to be from a reputable source such as the IRS or even a family member and will ask for personal information.
How to mitigate Social Engineering attacks:
Social engineering attacks are not easy to stop since they are directed at the weakest link and are not always easy to spot. However, by following these 6 easy steps you can greatly mitigate the risk social engineering poses to you and your organization.
1.Increase awareness and education
- Users can't defend against attacks if they don't know they exist. People also need to be aware of signs of social engineering such as being pressured to answer questions or influences on your emotions to feel sympathy, fear, curiosity, or urgency.
2.Be conscious of the information you are releasing
- This includes the information you put on social media sites. This information can be used to gain your trust and trick you into revealing more sensitive information about yourself.
3.Understand what assets and information is most vulnerable
- Through understanding what information is most important you will be able to pause and think before simply revealing that information.
4.Take ownership of security
- Security is a personal commitment that you cannot leave up to others to create for you. It is necessary for each person to take caution and practice secure behavior on their own. This includes limiting personal information you put online as well as understanding what kinds of social engineering attacks exist.
5.Watch for questions that don’t fit the context
- If you are on the phone with someone and you feel them pressuring you to make a decision, you need to stop and think, why is this person pressuring you? Be willing to apply pressure back to make the person provide proof that they are who they say they are. There are few scenarios where you need to give important information at a moment's notice over the phone, text, or email.
6.Stick to your guns
- Be willing to not give the information! If you know you are being asked to answer questions or release information that is against your organization's policies or is simply being carried out over a different medium be willing to say no.