How to Identify and Avoid Social Engineering Attacks

In addition to the tasks that employees handle every day, they wear another hat related to cybersecurity, even if they don’t realize it.

Every day, cybercriminals are using multiple types of social engineering attacks to try to steal confidential information, gain access to a business system, or wreak havoc with malware. And the target of those attacks are usually a company’s employees.

Hackers know that software and cybersecurity systems are more difficult to get through, so instead, they use age-old tactics of trickery on the human element of your business, your workers.

Social engineering comes in many forms. It’s the use of deception and psychological manipulation to get individuals to take a desired action.

In the case of a phishing email, it may be the use of the word “urgent” to get someone to click a link to a malicious site that injects their device with ransomware.

In the case of a longer con, it could be a person that contacts you over LinkedIn, pretending to be interested in your products, only to try to scam your business out of money.

Phishing, just one form of social engineering, accounts for 80% of cybersecurity incidents.

To ensure your company is safe from data breaches, compliance issues, and related costly threats, it’s vital that your employees understand how to spot and avoid social engineering.

What Are the Types of Social Engineering? 

While the most popular type of social engineering comes in the form of phishing emails, there are many other ways that it’s used to that can be just as harmful to your business.

Here are the places to look out for social engineering.

Phishing Emails

Ever since the old “Nigerian prince” emails, phishing has been a key deployment of social engineering.

Phishing emails have evolved significantly over the last two decades and it can be nearly impossible to tell a fake email from a real one because they often spoof the logo and signature of a legitimate company.

The latest phishing ploys have to do with the COVID-19 pandemic, using social engineering to prey on people’s fears about the crisis and the disruption in their lives.

Smishing (Text, SMS)

When the social engineering scam is perpetrated over text/SMS or another type of messaging, like WhatsApp, it’s called smishing. These ploys can try to spoof the number of a superior by using their name in the phone ID area, in order to get an employee to give up confidential information.

Vishing (Phone)

Before it was even called “vishing,” social engineering by use of phone (aka: scam calls) was happening. Often an unsuspecting person would hear “This is Microsoft Support and we found an urgent tech issue on your device,” when answering the vishing call.

Those that didn’t realize the call was a fake could end up being directed to a site to download a remote client that then gave the scammer control of their computer.

Social Media Social Engineering

Social media can be used for the “long con” when it comes to social engineering. Often the scammer will befriend a person or act as if they’re an interested buyer.

They’ll use direct messages for a while to gain the person’s trust, then they’ll either try to get confidential information or perpetrate a scam, like the “over payment scam” (they pretend to send a wire for more than the amount of an invoice and ask you to send them back the difference).

In-Person Scams

In-person social engineering is rare because the scammer has to be physically present and give up some amount of anonymity. However, for those that work in financial industries, this can happen in a similar way to the social media type.

How to Protect Against Social Engineering 

Because social engineering targets people, the most effective safeguard is ongoing user education and awareness training. Although there are a few software tools you can use to help reduce the risk of a data breach.

Here are the key methods to protect your business and users from social engineering attacks.

Understand the Tactics Being Used

Social engineering relies on standard psychological ploys that are designed to get the desired reaction from the subject. Understanding what these are can help users avoid falling for them.

Typical social engineering tactics used are:

  • A sense of urgency
  • Threats/fear
  • Trying to gain trust (e.g. by spoofing a colleague’s email address)
  • Promise of something you want (e.g. a new customer sale)

Question Any Email/Message/Call from Unknown People

Most users will default to trusting a message or email until something gives them a reason to distrust it. But social engineering is so prevalent that users should instead immediately question and be suspicious of any communication they receive from an unknown person or that may be from a colleague but sounds “off.”

Use Good Phishing Best Practices

As sophisticated as phishing emails have become, there are ways to identify them. These include:

  • Hovering over links without clicking them to see the true URL
  • Reviewing the raw source of the header to see if the address in the “from” line is really who sent the email
  • Never opening a file attachment without having it scanned first
  • Reviewing the email carefully for any slight misspelling or grammar errors
  • Double-checking with a trusted pro or colleague on a questionable email

Use Software Tools to Backstop Your Team

There are tools you can use to help your employees stay safe and avoid falling for a social engineering attack.

  • Anti-phishing software to block phishing emails
  • DNS filtering to block malicious websites
  • Email authentication (SPF/DKIM/DMARC) to prevent a scammer from spoofing your company email address
  • Advanced threat protection that can deploy application whitelisting

Protect Your Southern California Company from Social Engineering 

Neuron Computers can help your company deploy protections that can safeguard your users and network from social engineering and other online threats.

Contact us today to schedule a free cybersecurity consultation. Call 1-833-4-NEURON or reach out online.