How to Avoid Social Engineering & Phishing Attacks

Social engineering and phishing attacks are becoming more prevalent against both individuals and enterprises as hackers devise more sophisticated methods of attacking data networks. Going by recent statistics, the consequences can be far damaging, which underscores the need for organizations to develop effective methods to prevent such attacks, and accordingly protect their businesses from these criminal activities. 

By definition, social engineering is a manipulation technique where cybercriminals use human interaction to obtain information about a company or its computer systems. Here, hackers tend to pose as trustworthy or credible people, making it difficult for victims to realize it’s a scam. 

Phishing, on the other hand, is a form of social engineering where an attacker uses emails and malicious websites to solicit personal information (in most cases, financial information) by posing as a credible institution. Ideally, all social engineering techniques manipulate people through deception to access confidential information. 

Types of social engineering techniques

Understanding the various types of social engineering attacks can help you be more vigilant when interacting with unknown and suspicious individuals online. Here are the most common methods hackers use:

Baiting — Baiting attacks use false promises to lure a victim into a trap that allows a hacker to access information or inflict malware into the target’s computer. While baiting commonly involves physical media to disperse malware, it can also use online forms by enticing the target to download a malware-infected application. 

PhishingPhishing attacks involve a hacker sending an email or text pretending to be a trusted source. They may ask for confidential information such as passwords which they can use to access company data. They create a sense of urgency, curiosity, and fear to prompt the victim to give the information they need. 

Pretexting — This is where an attacker pretends to be a person with authority so that they can acquire information. They may come in the form of a bank representative, police, and any other individual with right-to-know authority. By establishing trust, they can gather data such as social security numbers, phone numbers, and addresses, which they can use to commit crimes. 

Vishing and smishing — These are variants of phishing where an attacker calls or sends a message asking for information – In vishing (voice fishing), an attacker poses as a credible person and requests for data, while in smishing, an attacker uses SMS to obtain the information they need to access data or systems. 

Quid pro quo — In this form of social engineering, an attacker promises you an update to help solve an urgent problem when in reality, the update itself is the malicious threat. Once you install malware, the hacker can go on to access what they need from your computer. 

Contact spamming and email hacking — This type of attack involves a hacker accessing your social media accounts or contacts. They reach to your contacts, asking them to send you money for one reason or the other, or send a ‘must see video’ that is infected with malware. 

How to avoid social engineering attacks   

Social engineering attacks can prove challenging to counter, mostly because they prey on human emotions and characteristics (such as respect for authority and curiosity), which can obscure their real intentions. However, there are ways you can help prevent them: 

Verify the source 

For safety, don’t engage suspicious individuals or provide the information they ask for without verifying the source. For instance, if you receive a message or call asking you to send company information to your boss, it is wise first to consult them through official means. 

If the hacker reaches out through email or sends a link to a certain website, look at the email’s header or where the links lead you (hover over the link without clicking on it). Be sure also to check subtle things such as spellings as official communications are less likely to contain typographical errors and misspellings. 

Whenever in doubt, it is always advisable to get in touch with official representatives through their verified websites or contacts so they can confirm the legitimacy of the email or message. 

Ask for identification 

Social engineering attacks happen due to people’s tendency to trust individuals without verifying them. To avoid being a victim, make a habit of asking for identification before giving out confidential information. If the caller seems suspicious in any way, ask them questions that can help you ID them, such as who they report to and the company they work for. You can use the information they offer to confirm their credibility by checking the organization’s chart or phone directory. 

Break the loop 

More often than not, social engineering attacks depend on a sense of urgency as attackers expect their targets not to assess a situation before making a decision. Rather than provide information a stranger asks for, consult the relevant authorities through credible and approved methods of communication.

For instance, if you get a text from a friend asking you to send them a certain amount of money, call them to check if they really contacted you. Breaking the loop can help counter an attack before damages can happen. 

Secure your devices 

Securing your devices can be an effective method to prevent the infiltration of data. Here are some measures you can take to achieve this; 

  • Update your anti-malware and antivirus software
  • Keep firmware regularly updated
  • Avoid using the same password for different accounts
  • Use two-factor authentication 
  • Don’t run your computer in administrator mode 
  • Change your passwords frequently
  • Update yourself on cybersecurity risks 

Think about your digital footprint

If you are one of the people who share private information about yourself on social media, you are vulnerable to attacks. Attackers can use personal information, such as date of birth, phone numbers, and addresses, to access confidential data. Taking proactive measures like turning your social media profiles to ‘friends only’ can help keep attackers away. In other words, give attackers as little information as possible to work with. 

Use a good spam filter  

A spam filter can sift out spam emails or mark them as suspicious. Ideally, spam filters use available information to determine emails that might contain infected links, files, and any form of malware. They may also have a list of blacklisted IP addresses and sender IDs which allows them to spot any attack before it causes damages to your computer or data. 

What to do if you are a victim

If you suspect or happen to be a victim, report to the relevant authorities, including network administrators, to solve the situation immediately. Be sure also to change your passwords for all the accounts that use the same password. Lastly, contact your financial institution if you think your bank accounts may be vulnerable to attacks.  

Summary

Social engineering attacks can have grave consequences on the victim, and therefore critical to establish the necessary security measures to curb them. Being aware of the various types and how they work can protect you from falling victim and ensure your private information is firmly secure. 

At Contego Inc., our primary goal is to protect you from IT cybersecurity risks by providing you the requisite tools to facilitate IT governance, risk management, and compliance. Contact us to learn more from the experts!