Avoiding Social Engineering and Phishing Attacks

Social engineering attacks, in which a hacker attempts to leverage human interaction to trick an individual into handing over or allowing access to private personal information so a computer or database can be infiltrated, have become a prevalent attack vector for cybercriminal groups.

In most cases, a hacker will appear to be genuine with a compelling backstory and may even have the relevant credentials to prove that identity.

They will be aiming to gather enough information to allow them to gain access to databases. If they are unable to garner adequate details to accomplish this off one contact, then they may contact more employees in the same group to gain additional information or bolster their credibility.

Phishing is another sort of social engineering. Phishing (email as a weapon) attacks use email or malicious websites to garner personal information by pretending to be a genuine organization or person.

When users respond to phishers with the requested information, it can be used to access the accounts.

In some cases, phishers try to take advantage of current events and certain times of the year, including:

• • Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
  • Epidemics and health scares (e.g., H1N1)
  • Economic concerns (e.g., IRS scams)
  • Major political elections

Another method is referred to as fishing. This method uses voice communication and can be combined with other types of social engineering to trick a person into contacting a specific phone number and handing over sensitive information.

In some cases, vishing attacks can take place entirely via voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services.

VoIP means it is simple for caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline connections. Landline communication cannot be intercepted without actual physical access to the line.

How do you avoid being a victim of social engineering?

• Beware of suspicious unsolicited phone calls.
• Unless you are sure of a person’s authority to have the information, do not hand over personal data or information about your organization, including its structure or networks,
• Never share personal or financial information in an email,
• Never reply to email solicitations for this information.
• Do not use the Internet to share sensitive information
• Always carefully read the URL in a link provided to ensure it is genuine
• Verify an email is real by calling a company to verify it
• Implement anti-virus software, firewalls, and email filters to reduce some of this traffic.

If you believe that you may have been a victim of social engineering, then you should contact your network administrator as soon as possible. They will be able to take or advise you of, the correct steps to take to remedy the situation and limit the damage.