When it comes to the security of our computers and online devices, what we often think of first is keeping them free of insidious viruses – throwing up firewalls and ensuring our anti-virus protection is bang up to date. Unfortunately, those protections can be quite easily overcome by one small vulnerability – human psychology.
Social engineering: a definition
Social engineering is the process of manipulating people in order to obtain confidential information or to trick users into making security mistakes. The term is used to cover a broad range of malicious activities from phishing, smishing, vishing (voice phishing) and scareware, to deceptions such as the ‘honey trap’ (whereby attackers pretend to be romantically interested in the victim) and the well-known ‘Nigerian prince just briefly needs your bank account’ scam.
Social engineering: how does it work?
When it comes to cyber-security, people are often the weakest link in the security chain, with the unpredictability of mistakes made by users making them harder to identify and avoid. It is much easier, for example, to pretend to be a company tech support agent and fool a user into giving up their password than it is to hack that same password (unless, of course, the password is password1!)
Social engineering attacks happen in one or more steps. Particularly when it comes to business attacks, a hacker may first investigate their target to gather background information, such as weak security protocols or potential points of entry. They will then move to gain the victim’s trust and to provide motivation for the user to give up information or to grant access to business resources.
Social engineering: what are a hacker’s motivational methods?
Knowing your Psychology 101 is a good way to avoid being scammed, as social engineering relies almost exclusively on what are known as the ‘principles of influence’ (a theory established by psychologist and professor Robert Cialdini in 1984). These methods of influence include:
Authority – whereby an attacker poses as someone ‘in charge’, requesting (ordering!) compliance.
Consensus – influencing users by convincing them that this is ‘what everybody else is doing’.
Familiarity – after all, if you receive an email from a friend, surely the link they have provided is legitimate?!
Intimidation – whereby the attack comes with a threat of negative consequences should the request not be granted.
Scarcity – ‘Only five left!’ or ‘While supplies last!’, which goes hand in hand with:
Urgency – ‘Act now or it will be too late!’
Note that scarcity and urgency often both relate to that little human tendency towards greed – many of us don’t want to miss out on something great, which can lead us to clicking first and thinking (and possibly regretting) later.
Defending against social engineering attacks
When it comes to protecting your business and safeguarding against malicious social-engineering attacks, your defence should be four-pronged:
- Ensure the lines of communication within the company are open and positive. If an employee believes that an attack has occurred due to their inadvertent error, the first thing you want them to do is report it – not hide it away in fear of reprisal.
- Train your staff to recognise the various methods of influence and to always think, check and double check before providing sensitive information. Cybersecurity staff awareness is key!
- Test the effectiveness of your training (yes, you can do some phishing yourself to check if you catch anything!) and redeploy the training often to ensure it is always fresh in the minds of your employees.
- Close your protection circle by also implementing cybersecurity measures – this will not only limit the number of attacks getting through to your staff, but can also help to minimise any damage caused by a successful attack.
Call Geelong’s cybersecurity experts
Servicing Geelong, the Bellarine Peninsula, the Surf Coast and surrounding regions, Geelong Technology Group helps small and medium businesses succeed by supporting and managing their IT requirements. Armed with the latest social-engineering information, we can not only assist your business with security awareness, we can also implement comprehensive cybersecurity solutions, ensuring your important business information is cybersecure.
Give us a call today to find out more on 1300 GET GTG (1300 438 484) or stop by our showroom at 166 Francis St, Belmont.