Many people today fall victim to social engineering attacks without even knowing. While the term does not always have a negative connotation, in IT circles, social engineering refers to the psychological manipulation of people with the intent of getting them to reveal personal information or to take certain actions. According to social-engineer.org, social engineering is used in over 66% of all attacks by hackers. Phishing is one of the most prevalent forms of social engineering.
What is Phishing?
Social engineering attacks can come in a variety of forms; one of the most common is email phishing. The hacker will typically spoof (fake) an email address and write an email to be either mass mailed or sent to a specific user (spear phishing). The hacker’s goal is to get the user to click a link and, as a result, be redirected to a malicious site. Once that happens, the hacker could retrieve key system data as well as capture any information input on the site such as bank account information, Social Security number, login credentials and much more.. The link could also open up an application, exploiting a local vulnerability in the user’s system and potentially provide full access to the user’s system.
Once hackers access an user’s system – they have full control. Without the user knowing, hackers could install undetectable malware onto the user’s computer, allowing them to gather sensitive information and even launch attacks on other targets. If you consider how often you type a password, Social Security number or private message to someone, it’s scary to thinkwhat someone could gather. Further, if hackers are launching attacks using a computer within your organization, all signs will point to you if/when the FBI investigates.
There are a few ways simple ways to reduce the risk of a successful Social Engineering attack from happening to your organization.
- First and foremost, awareness. You can never be too cautious! There are many ways you can identify a phishing email. Do not click on any links, but simply hover them – if in the bottom corner of your screen it displays a different domain than what it is supposed to be, or an IP address as the domain, it is most likely a phishing email.
- You can also look in the email properties. In Outlook, go to File, then Properties and locate Internet headers. This will show you the path of the email. Scroll all the way to the bottom and you will be able to locate the original IP address and the originating system. If it is not from a trusted email system, it could very well be a phishing attempt.
- Another way to prepare for potential attacks is to hire a company to send out test emails to all of your employees. This will replicate what an attacker could do, and it will also provide the company with more insight on how cognizant its employees are. Security awareness training is a great way to make sure that all of your employees are very prepared if an attempt at a social engineering attack were to be executed at your company.
Far too many companies fall victim to social engineering attacks. It is your job to make sure that you and your employees take the right precautions to negate this risk. A security breach can expose critical information about your company, your clients and your employees. Since we can’t predict the future, it is better to prepare for it now. Don’t let your company become another statistic. We need to maintain a vigilant attitude in keeping our information from falling into the wrong hands.