Social Engineering: How malicious people take advantage of human interaction

Avatar

Social engineering is the art of manipulating and tricking people into giving up confidential data without being aware of what they are really doing. This art can be manifested and orchestrated in different ways depending on what do they want to get from you.
Being friendly, pretending to be someone else, pretexting, and phishing are just some methods to perform such tricks and, in this article, we will refer to the most common ones and how you can avoid them.

Baiting

Baiting is when an attacker leaves a USB dongle or any physical device somewhere, so it is found by somebody and plugged into a pc. Most of these devices contain malware that will steal and send your information over the attacker’s server. Our recommendation is not to plug any physical device you may stumble upon.

Phishing

Phishing is when a non-legal party sends a fraudulent email professing to be a legal party. This thread is very common to us all, and we should examine very carefully the email before clicking any link or downloading any included file.

Diversion theft

In this kind of attack, the attacker tries to diverse the route of a courier and make him go to a wrong drop-off location. Hence, intercepting the packet. This attack is quite difficult to avoid since you are not in control of the delivery. However, if you receive a message stating that your packet has been delivered and you do not have it, get in touch with your courier as soon as possible.

Pretending

This attack especially affects to high ranks in companies. Seniors and chief officers are contacted or followed by someone who claims to want to make a deal, an interview or just do some small talk in order to get some juicy details. High ranks should be careful about who they speak to and what information they share.

  Huawei, we need to talk...

Tailgating

This attack involves someone who is unauthorized to enter any area to follow a current employee and get access into a restricted area. Usually the attacker impersonates delivery courier or cleaning personnel, so the employee thinks he/she is working there. For this kind of attack, you should train your employees to be suspicious of any person they don’t know and report it as soon as possible.

There are many more attacks and threads to be aware of, but these are the most important ones your company should care of. Therefore, incentivizing a security awareness culture is key to improve the situation and avoid any risk. How can you do that? Here you have a few tips:

  • Do not download anything if you are unsure.
  • Slow down and think things first before taking any action.
  • Research the facts. Be suspicious and ask for details before committing to something.
  • Make employees feel part of the security team. Teach them how to detect and report security threads.
  • Send an email to all employees every month with the latest security threads.
  • Elaborate some guidelines on what to do in case of phishing.
  • Involve all departments and high ranks so everyone participates and are actively conscious of what security means for the company and what is to lose.
  • Reject requests for help. Other companies do not contact you to provide help. Do not answer any questions unless you are hundred per cent sure the source is reliable.
  • Use multifactor authentication (2FA) in your organization and develop a policy to change the passwords for all employees every 3 or 6 months.
  OWASP Guide: Part 2

With all this information in mind, you can boost the security of your company and feel more protected.
In A2Secure, we have the best team to protect and train your company against social engineering attacks. Drop us a line if you want to discuss further.

____

Author: Victor Cardona

Leave a Comment

security-systemowasp-part-2