How to Prevent Social Engineering

Vishing is another social engineering technique.

Vishing – voice phishing – is essentially phishing over the phone. These attacks can also be adapted by having the hacker appear in person, rather than calling. The term was coined by socialengineer.org. This article will discuss vishing examples and in-person examples that mimic the vishing attacks.

An example of a common vishing attempt would be to call a secretary at a company and say that you are with the IT department and we need to update the machines, but you need her help to do so. You tell her it will be a quick process that will not disrupt her work; all you need her to do is open an email you’re about to send her and click on the link. Once she does this, you have remote access to the network! As she believes you are from the IT department, she trusts you, and since you have a sense of authority in this position, she complies.

Another social engineering method would be in-person visits. For example, you could go to a business and do your reconnaissance. If you find staff outside smoking, you could join them to smoke, or just with a pack of cigarettes in your hand, and casually join the conversation. When the staff return to work, you just keep talking to them and follow them in.

Entering as part of this group to gain physical access to the organization is called tailgating, as people are generally too polite to stop others from entering with them. Manipulating their politeness in this way is part of social engineering.

A third method would be to use normal postal mail, although this is less common. This method is similar to email methods. The mail may advertise a limited offer, or it may demand payment on a fake invoice that is now overdue and say that the company is going to sue you if you do not pay immediately. Again, we see the element of urgency and the use of fear or greed to activate amygdala hijacking.

These are only some of the methods used, and hackers can be quite creative. It is therefore important to know how to combat social engineering. First, do not shame someone who has been a victim of social engineering! If you do, people will be less likely to report these attacks and will leave your organization vulnerable. You want people to feel safe reporting possible attacks so that you can immediately act to protect your network.

If someone falls victim to a social engineering attack, find out what happened and then offer training to help identify suspicious requests in the future. This training should always include the instruction to just pause; pausing for as little as five minutes can help us make a more rational decision and prevent amygdala hijacking. Use this time to calm down, and then ask yourself if the message makes sense and if the actions they request make sense, and then do your research. If the message comes from someone in your organization, call them (do not reply to the email). If it comes from an organization, research the organization. And make sure you talk to colleagues to see if they have had similar messages.

In summary, social engineering is any act of influence or any act that influences a person to take an action that may or may not be in their best interests. Pause, think, and check the authenticity of messages. Social engineering can be complicated but effective, and we saw that over 50% of companies were targeted by social engineering attacks. It is more important that your organization offers ongoing training and has supportive reporting structures in place.

Now that you have a better idea of how social engineering works, hopefully you will be more vigilant in your personal and professional life and will know how to deal with any suspected attacks.