Security Awareness is Cybersecurity
Social engineering is a cybersecurity approach that affects individuals and organizations both public and private. Bypassing the technical aspect of hacking, social engineering relies on convincing an individual to compromise sensitive data or grant unauthorized access. Deception is not a new or novel concept, and social engineering is simply an application of this towards digital mediums and penetration testing. Self-awareness and a healthy sense of skepticism are the best defenses against deception in general, but the evolution of technology requires organizational preparation against social engineering. This section will cover some of the most effective techniques
for preventing social engineering attacks.
Research and Analysis, the Right Way
Careful critical analysis of online interactions is the greatest defense against social engineering
. Think carefully before you click anything from unverified sources, especially if it is framed as an urgent matter. Social engineering attacks often rely on the user to not think twice before providing sensitive information to a familiar organization. This could be an email requesting bank information in the context of a falsified security breach, a desperate figure seeking a small payment to release and reward a large number of funds, or an attacker posing as a popular social media site requesting verification for continued access. Think critically about every request for sensitive information, and don’t click on anything that seems sketchy or unfamiliar. Many organizations will specify that they do not request personal information over email for this reason. Critical thinking, not paranoia, is the best defense against social engineering.Researching sources
is another powerful method for preventing social engineering attacks. Phishing
emails often direct the user to forms of input that are designed to look identical to their trusted counterparts. Many of these pages are visually identical to popular login pages, but the URL and source code is completely different. Check the URL at the top of the page for strange anomalies. For example, www.woodmore.com
. In the second URL, instead of an “m” in Woodmore, it is replaced with “r n” to trick you at a glance. You can load the same page through official channels for comparison. If you are still unsure, you can even check and compare the page’s source code for unusual differences. The attacker is relying on users to not think twice before inputting sensitive data.Lastly - and this is part of any good End User Security Training - be wary of any attachments or downloads from unverified sources. Regardless of who you are, what industry you’re in, what your title is, never click/open unverified links or downloads. Always check with the person that sent it before taking action because you’re better safe than sorry. Attackers will provide an attachment or web download that seems innocuous or legitimate, but the file contains hidden malware. Don’t download anything from unfamiliar sources without thinking twice. Some indicators of a malicious download include deceptive download buttons, atypical file names, unusual file sizes for the given type, and file extensions that do not match the given file format.
A Lesson from Smokey
In the familiar adage of the great Smokey Bear, only you can prevent social engineering attacks
. Hackers can bypass grossly advanced security systems by relying on a single user error, and simple cautionary practices can prevent massive data breaches and financial losses. Think critically about every online interaction, research unfamiliar sources when in doubt, and be careful about anything you download from unverified users. A healthy sense of self-awareness and skepticism go a long way in preventing social engineering attacks.TL;DR
Social engineering is a consistent threat to the security of many organizations, but there are ways to prevent social engineering attacks. Most prevention methods revolve around safe practices and self-awareness. This article explores several techniques you can use to prevent social engineering attacks in organizations and on individuals.