Ask a Security Expert: Recognizing the Tell-Tale Signs of Social Engineering
Question: “What are some common signs of social engineering attempts such as phishing or click baiting, and how can organizations prevent these types of attacks?”
-Jason Ballard, Sedona Technologies
Answer: First rule of thumb when it comes to social engineering: If something seems “phishy,” it probably is.
Cybercriminals often try to manipulate individuals into giving up their passwords, bank information, and other personal information through social engineering tactics.
A common example of these attacks is an email or message that appears to be from a colleague or friend.
It is typically much easier for the attacker to exploit a user’s natural inclination to trust than it is to find ways to hack their software.
Organizations can avoid these types of attacks by properly informing employees of the various social engineering tactics and implementing an effective antivirus solution.
Here are a few tips for recognizing and avoiding social engineering tactics:
- Less urgency, more caution–Slow down and read messages thoroughly before clicking on anything. Spammers try to take advantage of impulsive users who act before they think.
- Requests and offers are usually fake–Legitimate organizations do not offer to provide help without a specific request for assistance. Any offer to “help” restore credit scores, refinance a home, answer questions, etc., is a scam. The same is true of requests from charitable organizations. If you don’t have a relationship with the organization, delete the email.
- Never give out personal information—This seems obvious, but it must be said. If a message asks for personal or financial information, it is a scam.
- Use password management software—These programs are necessary to keep all of your passwords organized, but also act as a phishing safeguard. They will only fill in your credentials when you visit the actual domain where they are used.
- Links and downloads are dangerous—If you don’t know the sender personally and aren’t expecting a file from them, downloading anything is a mistake. Even when the sender appears to be someone you know, check with that person before opening a link or downloading. A well-orchestrated phishing email attack is impossible to discriminate from a genuine email.
- Spam filters on high—Every email service offers spam filters. Set these on high, and remember to check your spam folder periodically to see if legitimate emails accidentally get trapped in there.
- Antivirus software is your friend—Install antivirus software, firewall and email filters, and keep them updated. Anti-phishing tools offered by web browsers or third parties can also send alerts about potential risks.
- Security awareness training—It’s the best way to continuously keep users informed about the types of attacks they will face. Many can also test users’ abilities to defend themselves and their organizations from being infected and compromised.
Social engineering attacks are designed to take advantage of a user’s trust.
Be on your toes when sifting through emails and messages.
Remember, if something seems phishy, it probably is.
George Anderson is director of product marketing at Webroot. “Ask a Security Expert” is an occasional feature.
Send tips and news to MSPmentorNews@Penton.com.