Social engineering has become the new standard in both cyber-attacks as well as physical security. Many organizations are fighting back and are quickly making education a priority. First off let’s enumerate a few of the most common types of social engineering attacks and then let’s go over ways to address these threats.
By far the most common method of social engineering employees of any organization is via email phishing. An attacker will craft an email, often spoofing the sender address and trying to make the email look as legitimate as possible. Phishing attempts (emails) are crafted in various ways. One method is a message attempting to get a you to reply and supply information you should not give them. Another method is to make the email seem completely benign and from a trusted source, so that you will click a link in the email or even download an attachment.
A few easy ways to most detect such an attack;
- Poor spelling & Grammar
- Unexpected / out of place
- Attempting to elicit some sort of emotion, positive or negative
- Check the Sender Address
- Hover over a link to see if the URL is one you trust
Voice Phishing (Vishing)
is becoming increasingly commonplace. This is where a scammer actually calls you on the telephone. You may have heard about these criminal organizations that are impersonating the IRS. Scammers are in the news quite a bit and have robbed countless Americans. They call pretending to be the IRS, demanding payment and making all sorts of outlandish threats. While most people are wise enough to know it is a scam. Unfortunately, many still fall for prey. Let’s face it, no one wants the federal government coming after them.
SmiShing (Text Messages)
is yet another type of phishing attacks. This happens via text messaging and often starts because your phone number was entrusted to the wrong person on the internet. First, the attacker may send a text message with a link hoping you click it. This link is likely geared towards installing spyware and or malware on your device. SMS (text message) phishing is growing exponentially as more criminals realize just how effective it is. Below is an example which I received to my google voice number. On that note, I highly recommend using such a service instead of giving out your actual phone number. Notice the use of “tinyurl.com” to disguise the actual web address and then never click on anything like it.
Also known as piggybacking, is when a person tags along with another person that is authorized to gain entry into a restricted area, or pass a certain checkpoint. This happens more often than people realize. Remember when Tom Brady’s SuperBowl jersey was stolen? This criminal tailgated his way in to the Patriot’s locker room and in fact came in / tailgated behind Bill Belichick. This incident serves as a great example of how it is everyone’s responsibility to keep the workplace safe. Ways to prevent breaches due to tailgating at work, include;
- Confronting people without badges in restricted areas
- Be aware if someone piggybacks through access control
- “Trust” but verify