It's scary to think that it's much easier for an attacker to exploit a victim’s natural inclination to trust than it is to find ways to hack their systems. Organizations can avoid many attacks by properly training employees on social engineering tactics and implementing an effective and ongoing user security awareness training and testing program.
In today’s connected world, a little healthy dose of paranoia might save you from serious damage that hackers, ransomware, malware, and viruses could cause coming in to your network.
Question: “What are some common signs of social engineering attempts such as phishing or click baiting, and how can organizations prevent these types of attacks?”
Answer: The first rule of thumb when it comes to social engineering is: if something seems “phishy,” it probably is.
Cybercriminals often try to manipulate individuals into giving up their passwords, bank information, and other personal information through social engineering tactics. One of the most common examples of these attacks is an email or message that appears to be from a colleague or a friend.
Here are a few tips for recognizing and avoiding social engineering tactics:
- Less urgency, more caution: Slow down and read messages thoroughly before clicking on anything. Spammers try to take advantage of impulsive users who act before they think.
- Requests and offers are usually fake: Legitimate organizations do not offer to provide help without a specific request for assistance. Any offer to “help” restore credit scores, refinance a home, answer questions, etc., is a scam. The same is true of requests from charitable organizations. If you don’t have a relationship with the organization, delete the email.
- Never give out personal information: This seems obvious, but it must be said. If a message asks for personal or financial information, it's a scam.
- Use password management software: These programs are necessary to keep all of your passwords organized, but also act as a phishing safeguard. They will only fill in your credentials when you visit the actual domain where they are used.
- Links and downloads are dangerous: If you don’t know the sender personally and aren’t expecting a file from them, downloading anything is a mistake. Even when the sender appears to be someone you know, check with that person before opening a link or downloading. For most non-technical users, a well-orchestrated phishing email attack is practically impossible to discern from a genuine email.
- Spam filters on high: Every email service offers spam filters. Set these on high, and remember to check your spam folder periodically to see if legitimate emails accidentally get trapped in there.
- Antivirus software is your friend: Make sure your antivirus, firewall and email filters are all kept up-to-date. Anti-phishing tools offered by web browsers or third parties can also help with potential threats.
- Security awareness training: This is THE best way to continuously keep users informed about the types of attacks they will face. Many can also test users’ abilities to defend themselves and their organizations from being infected and compromised.
Without a doubt, social engineering tactics are designed to take advantage of a user’s trust. Be on your toes when sifting through emails and messages.
And remember, if something seems phishy, it probably is.
FPA offers a comprehensive cyber security user awareness training program that's simple, thorough, and provides recurring testing with minimal interruption to your staffs' work load. The best part is because we run it, it doesn't put any additional burden on you by impacting your time. If you'd like to discuss this in more detail, please feel free to contact us.
We'd love to hear from you. Please share your social engineering war stories in the Comment box below or shoot me an email if you’d like to chat about this in more detail.