Cyber-Attacks: Defending against Social Engineering

Following on from our Senior Technician Scotts previous blog Cyber-Attacks: Are you vulnerable? It’s important to expand on the human interaction element of cyber-attacks and Social Engineering. Social engineering is defined as an attack vector that relies heavily on human interaction and often involves manipulating people so they give up confidential information and breaking normal security procedures.

When individuals are targeted, criminals are usually trying to dupe them into providing passwords or banking information, or access their computer to install malicious software that will give them access to this type of personal data as well as giving them control over your computer. Cyber criminals use social engineering tactics because it is usually easier to exploit the human inclination to trust than it is to discover ways to hack software and network systems that normally have some level of protection.

The most common types of social engineering attacks are:

  • Baiting: is when a malware-infected physical device, such as a USB flash drive being left in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware. There was a recent spate of this method of attack in the US where several business were targeted in the same area simultaneously, it was discovered that the attackers dropped infected devices in their shared car park.
  • Phishing: is when a fraudulent email disguised as a legitimate email, often sent from a supposedly trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
  • Spear phishing: is like phishing, but tailored for a targeted individual or organization.
  • Pretexting: is when an attacker misleads someone to gain access to privileged data. A pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
  • Scareware: involves tricking victims into thinking his computer is infected or has inadvertently downloaded illegal content, then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker’s malware, sometimes gaining some financial benefit to resolve the issue they have created.

One of the most common social engineering attacks we have encountered; aimed both at individuals and businesses, is the Microsoft scam, where cyber criminals pretend to offer technical support, often asking for you by name using details probably obtained from the local telephone directory or social media.  They’ll likely say they are a computer-security expert from Microsoft and your PC/Laptop or tablet has been infected with malware or a virus and that they can help you solve the problem. They then establish a remote connection to your device and attempt to confuse with jargon or ask open common Microsoft utilities and services that list what may appear to be problems with your computer or that your operating system is not licensed. They will probably offer to sort this by asking for payment. Often they will install malware on the machine that damages the operating system and steal personal details, passwords and data, with the best case scenario meaning a rebuild of the computer.

Microsoft have emphasised that they would never phone people to discuss tech support issues. They also said it was unable to detect issues with a particular user’s computer in the first place.

You should never allow remote access to their machine unless they are entirely sure the caller is a bona fide customer support representative, which often involves contacting a company on an official number.

Whilst technology makes some kinds of fraud more difficult to commit, it’s created all sorts of new opportunities for adaptable fraudsters with even the strongest security technology easily overcome by a clever social engineer. As a business it’s important to ensure that you have the following in place;

Policies, guidelines and permissions

As a business you need to set clear guidelines on the types of information staff can access and who they can share it with. This can be defined by the use of defined polices and guidelines.  By minimising the amount of information accessible to individuals you can minimise the impact the amount of damage an attacker can do this why its key that you consider clear permissions on your systems. These can be often determined by the roles played in the business.

Security

While large businesses have sophisticated security in their data centres such as biometric access controls, and 24×7 security, most small business do not have the finances for such resources. So you need to take practical measures such as encrypting your files, setting appropriate permissions and ensuring you have a good standard of software protection in place.

Industry Best Practices

Although not specifically related to Social Engineering, you should always follow security best practices to avoid threats and lessen the gravity of any breaches that occur. You may also want to consider the security of your network and those of any cloud based services that you maybe using.

Despite the importance of ensuring that you have up-to-date and effective security measures in place, staff should be aware of the risks and appropriate training introduced to help staff understand Social Engineering techniques and help them develop vigilance.

If you’d like more information on how your business can take positive steps to protect itself against Cyber-Attacks then why not get in touch! 

Back to our blog
Get in touch today