Social Engineering Awareness

@nismoguy1, social engineering is an important security topic that impacts individuals and businesses alike!

Before answering your question, it is important to define the term social engineering. A broad definition of “social engineering” is influencing someone to react in a certain way by exploiting one’s interests, habits, etc. In the context of cybersecurity, “social engineering” refers specifically to hackers gathering information about an individual or business and strategizing ways they can trick you to fall for a scheme. For example, if a hacker has your email address, knows you own a dog, and determines you live in Charleston, SC, the hacker could “socially engineer” you by emailing a fake coupon for a Charleston-based pet store to get you to click on a malicious link or download a virus.

The key ingredient to a successful social engineering attack is having relevant and up-to-date information about the potential target. So where do hackers get this information? Anywhere and everywhere!

Social media accounts, such as Facebook, LinkedIn, etc., can provide hackers with troves of information about you or your business — for free. The more information posted to these sites, the more ammo hackers have to create targeted attacks. It’s one thing for a hacker to have access to your email address, but attacks can be taken to a whole new level when criminals can determine when you’re going on vacation, who your boss is, what college you went to, what kind of car you drive, etc.

With all this said, it begs @nismoguy1’s question: “What can I do to prevent social engineering from happening to me and my accounts?” The truth is you will never be able to prevent social engineering from happening to you. However, you can lower your risk by taking simple precautions.

1. Be mindful of social media! In order to protect yourself, we highly recommend being cognizant of the amount of information you choose to post online. Configuring your account privacy settings and being selective about the people/groups you allow to view your profiles is another important step to protecting yourself. However, even if you are proactive in guarding your personal information, this doesn’t necessarily mean you could never be socially engineered.
2. Do web searches to fact check. We often recommend fact checking if you receive an email or phone call that seems either suspicious or “too good to be true.” If you are sent a link, it’s usually best to browse to the website manually, rather than clicking the link and trusting it will take you a safe, trusted webpage. Links can often be disguised and used to send you to a malicious 3rd party site. Doing a quick web search or placing a phone call to verify information before responding never hurts.
3. Never respond to an email that asks for sensitive information — even if it’s from your boss. We have seen many successful email scams executed by luring unsuspecting victims into providing personal information over email. For example, a hacker could use a stolen or spoofed version of a co-worker’s email to send a fake message requesting you wire money to a vendor. Unfortunately, in situations like this, there isn’t much you personally could have done from becoming a target, but you can take steps from becoming a victim! For this reason, you should never provide (or request) sensitive information via email, regardless of the email being a scam or legitimate request. Getting into the habit of sending sensitive data via email will only make you more susceptible to falling victim to email scams. There are always safer alternatives to providing this information, such as placing a phone call or delivering the information in person.

It’s fair to say that you cannot prevent being socially engineered, nor can you prevent attackers from attempting to hack in general. But what you can do is be vigilant and aware that social engineering tactics will always be used by hackers. It never hurts to pause and fact check before opening an email, clicking a link, or providing sensitive information. Taking precautions to limit data shared publicly online and who you share it with is never a bad idea either.

Have a question for our security consultant? Submit your #askahacker questions to @SoteriaSecurity on Twitter or via email. Chosen questions will receive a response from our consulting team and a Soteria gift pack.

Originally published at https://soteria.io/social-engineering-awareness/ on March 13, 2017.