Social engineering in cyber security - Cribb Cyber Security

Last week we looked at cyber security for the Internet of Things (IoT). We asked how secure smart devices were, pointing out what users can do to mitigate the potential risks involved. Smart phones, for example, offer protection against malware but are not designed to prevent social engineering attacks. In fact, these require a great amount of awareness from the intended victim and have been on the rise in recent times. Today then we look at this in more detail, describing what it is and offering up examples of attack types to look out for. Crucially, we also provide guidance on how to prevent it.

Read the article, “IoT cyber security: How secure are smart devices?”.

What is social engineering?

One definition would be the use of deception to manipulate an individual into revealing confidential or personal info. This information may then be used for fraudulent purposes by malicious actors. Social engineering sees victims manipulated psychologically and attacks typically happen in one or more steps. First, the intended victim is investigated and background information gathered on them. Attackers are looking for possible entry points and weak security protocols before then adopting a form of pretexting. This can often be impersonation, with the objective being to gain the victim’s trust. Once this has been achieved, sensitive information is then revealed or access to critical resources granted.

Types of attacks to watch out for

There are many different attacks to be aware of. Crucially, they can be performed anywhere where human interaction is involved. Here are some of the most common types of attack:

  • Pretexting & tailgating

These typically see cyber-attackers pretending to be a co-worker or an authority figure such as a police officer. Using this disguise, they reach out and attempt to gain a victim’s trust with the intention of then extracting information.

It is worth noting that tailgating is often used to against companies in the form of a physical attack. In other words, attackers try to find ways to enter a building where they can then use different tools to steal data.

  • Phishing

This is an incredibly ‘popular’ type of cyber-attack which sees attackers pretending to be trustworthy in messages sent via text, email or by phone. The objective is to acquire usernames, passwords, and credit card details by creating a sense of curiosity or fear in the recipients of the phishing message. They will typically be asked to reveal sensitive information by clicking on links to malicious websites or opening attachments containing malware.

  • Baiting

This sees cyber-criminals stealing info or injecting malware into a system by using false promises to lure victims into traps. These traps could involve malicious attachments or physical media such as malware-infected flash drives. Baiting scams can also see online ads linking through to malicious websites or applications.

How to prevent it

There are many tactics you can adopt, some of which simply involve being careful and aware of potential threats. For example, if you receive an email containing an attachment from an unknown source, exercise caution. Don’t open the attachment, even if you know the sender; instead, contact that person directly to confirm that the message is authentic. You should also avoid plugging any unknown devices into your computer. Other preventative measures to consider include:

  • Using 2-Factor Authentication / Multi-Factor Authentication (2FA / MFA)
  • Ensure that antivirus is installed and updated
  • Switch automatic updates on
  • Regularly back-up your data

You can also consider cleaning up your social media accounts or online profiles. Social engineers search the Internet for as much information as they can on a person. Social engineering in cyber security is a very real concern and one we all need to be aware of. Yes, it is important to have security measures such as antivirus software in place, but it is just as important to be cyber aware.