Social Engineering Is The New Frontier, or is it?
By: Steven Crociata
So, what do we think about when we hear the phrase social engineering? Would you think of manipulation, experimentation, perhaps coercion, trickery, or covert operations? If any of these terms come to mind, you are not alone. Many of us were exposed to some form of a socially engineered event at a point in our lives. We are conditioned to take a stand on politics, career search, relationships, or even a simple advertisement. However we choose to interpret the stimuli, it is up to you to make sense of it, and what makes us all different.
Not to bash social engineering in its entirety, it can be used for the better good, like through advanced Artificial Intelligence (AI) gathering, for example, to build better programs and products for our daily use. When researchers better understand the target audience, they can shape the message more efficiently. As a professor of psychology, Dr. Thomas G. Plante points out social engineering can yield positive outputs that include networking, collaboration, entertainment that serves up instant gratification, newfound confidence, and possibly a memorable day for all parties involved.
On another front, social engineering is used by bad actors/criminals to penetrate our inner world. Unfortunately, where there is good, there is also evil. I not am insinuating using social engineering for personal gain in no way or form. All are encouraged to stay alert to social engineering practices. Whatever the methods used, the bad actors are always trying to find our secrets to further help them open doors into our world, just as a hacker would focus on penetrating a firewall. Yes, we spend a lot of money and time protecting the infrastructure as we should; conversely, social engineering has changed the playing field considerably, so we should be more concerned.
?According to the?US Cybersecurity and Infrastructure Security Agency, social engineering is the coordination and help of human beings to successfully construct an attack via human interaction, whether to obtain or compromise information about an individual, organization, or computer system.?
?When we look at social engineering, we must realize that it is used to construct various malicious activities that are later used to manipulate or coerce. Remember, it is up to the Social Engineer to get what they need from the victim or target to perpetrate an effective attack. I read an exciting book recently called,?Social Engineering, the Science of Human Hacking by Christopher Hadnagy?which outlines the many tactics SEs, Social Engineers, use to garnish information. Fascinating read I highly recommend it. I will not give away his secrets; however, many of the ideas I mention in this article will outline a few tactics on how effective social engineering is truly the life blood of any criminal operating in today’s covert world of cybercrime.?
?There are many steps a bad actor will take to construct an attack against a target. To some extent, firewalls and antivirus software can block attack vectors however, no protection method is attack-proof as we see constantly on the global scale. A defense method can quickly become obsolete, as hackers constantly update the attack vectors and seek new ones to gain unauthorized access to mobile phones, laptops, computer hardware and ultimately the processing power of servers. For reference, an attack vector is a path by which an attacker or hacker can access a computer or network server to deliver a payload resulting in a positive outcome for them down the road.?
?Attack vectors also enable hackers to exploit system vulnerabilities, including the human element. Why is social engineering especially dangerous? Because it takes advantage of human error rather than software and operating system vulnerabilities. Mistakes made by legitimate users are much less predictable, making them harder to identify than a malware-based intrusion. Common cyber-attack vectors include?viruses and malware, email attachments, webpages, pop-up windows, instant messages (IMs), chatrooms, and deception.?Except for deception, all of these methods involve programming or, in a few cases, hardware. Deception is when a human operator is fooled into removing or weakening system defenses. They first investigate the intended victim to gather the necessary background to size that individual up. It is like casing the joint before the bank robbery. After finding the possible entry points and the weak security protocols needed to proceed with the attack, the plan is to implement. Then, the attacker moves in to gain the victim's trust and provide some form of stimuli for subsequent actions that break further security barriers, such as revealing sensitive information or granting access to critical resources on the network.
?Some of the information in this article might help draw attention to the many aspects of social engineering and how it is used to harm or gain access to specific interests. While cybersecurity attacks exploit technical vulnerabilities in software, others exploit psychological vulnerabilities in human behavior. ?I find it fascinating that criminals use the power of the mind to coerce and convince people to do things, almost like how a serial killer persuades someone to come into their lair.
?In the case of a socially engineered attack, a bad actor may seem unassuming and respectable or possibly claim to be a new employee, repair person, researcher, or even offering credentials to support that identity. Additionally, they may ask questions and be able to piece together enough information to infiltrate an organization's network.
?The most effective cybersecurity attacks often use both. Suppose an attacker cannot gather enough information from one source; what they might do is contact another source within the same organization. They rely on the data from the first source and build it into their profile to bolster their credibility. So, why is it important to understand how to avoid being taken advantage of? Unfortunately, many of us have fallen victim to various scams. The sad thing is many of us are very predictable and, unfortunately, na?ve. No one likes to be called that; however, we are creatures of habit; therefore, we are not too hard to figure out. That is the stark reality. The purpose of this article is to create awareness so I compiled information that I believe will be helpful. Some of the information is from my own experience, and other data is from additional research that I have done.?
?What is known is that "the strongest part of a chain is only as strong as the weakest link." Some of the most realized weaknesses in any cybersecurity strategy are humans. Today more than ever, we are tied to our mobile devices. We can't walk into a store, go to the gym, or drive on the highway without seeing someone on their phone. That’s a scary thought right there. Nonetheless, most people, including myself, want to know what is happening at a moment's notice. We check our email and social media accounts constantly, rightfully so. We live in a world where immediacy takes precedent over everything. It is like being in the Mafia, they come first, and family comes second.?
?Many contributing factors used to build successful social engineering campaigns are:
?Strong sense of urgency | So much going on in the world | The internet makes everything immediate |The feeling of being wanted | Strong sense of curiosity | Social Status | Self-gratification
Why do the bullets mentioned above play a part in how the bad guys manipulate us? One of the critical factors is that we constantly need to be aware. God forbid we miss something. With all that is happening, job pressure, family, pandemic, economy, and politics, to name a few, we find ourselves continually looking at our laptops and mobile devices. This, unfortunately, leaves us open and vulnerable; I will explain. Facebook, for example, is a crucial component in the world of "I need to be in the know now" We all need to know what the family is up to. Who is going on vacation? Who is making the best pasta dish? What is happening in politics and so forth? This environment creates a hunting ground in which the bad guys thrive. They prey on the weakness of all of us. Gone are the days of picking up a dial-up phone and calling someone while hoping the person on the other end would pick up. Nowadays, everything is connected, and we are mobile. We can directly reach out, respond to an email or a Facebook request, Instagram, and tweet immediately, yet we, in some way, expose ourselves every time. Still, we are responding to that urgency within. You will see what I mean.
Tinder
The art of manipulation is all too real. The threats are among us, and the bad actors use human emotion to enter our world. To move in closer to our private fiefdom, the bad actors usually gravitate towards our strong sense of curiosity, fear, and urgency to coerce us into acting to do something, whatever that may be. The online dating scene, for example, is a perfect illustration of that. Have you heard of the Tinder Swindler? Several women, in that case, were collectively swindled out of millions of dollars as the story went, and it was probably one of the best cases of a socially engineered attack to date. Watch the program and understand how the main character crafted his scheme. He prayed on the women's emotions and a strong sense of urgency to partake in what seemed to be a relationship that had a lot of potential. The guy had money, beautiful clothes, traveled worldwide in private ?jets, etc. That was the start of their trouble and is what attracted them to him. Watch the show on Netflix, it is fascinating.?
Tricking individuals into divulging sensitive information is nothing new in the world of cybersecurity but then again, what has changed is the method in which the attacks take place. It is not hard to convince someone to send money, divulge sensitive customer information, disclose authentication credentials, or even vote a specific way during an election. Unfortunately, this happens all too often. It has cost many of us dearly, like in the case of the Tinder Swindler. I illustrated the Tinder Swindler case because of the socially engineered aspects of the bad actor's actions to take advantage of the women. Now that was a little different than your typical cyberhacking case. The psychology behind social engineering is beyond the scope of this article; yet, what I can tell you is we need to be more conscientious and aware of what we are being asked to participate in when visiting a website or responding to a request.
?History on Social Engineering
Social engineering first reared its head in 1894 brought to us by Dutch industrialist J.C. Van Marken. He coined the term "social engineer." for what he believed was that experts could organize and improve society in the same way engineers designed and developed machinery. The idea was that modern employers needed the assistance of specialists in handling human challenges, just as they needed technical expertise (traditional engineers) to deal with non-human challenges (materials, machines, processes). The term came to America in 1899. Since then, it's evolved into a much more sophisticated method. Whether used for scientific or malicious purposes, it is something we have to deal with and take very seriously. I thought I would give you a little history to help you understand the premise behind the science.
TikTok Fraud
So, many of us like to go on TikTok and scroll through thousands of short videos. It’s addicting, right? Well, there is a socially engineered aspect to this. First and foremost, you know that your activity is being tracked, right? Each time you click on a video, the TikTok algorithm profiles you for what you watch, and videos of the same content appear in your feed. I have to admit some of the videos are hysterical, while others are informative, and some are downright devious. Some of the videos give a lot of misinformation and create a sense of chaos. You wonder where these people get their information.?Please be careful surfing the TikTok venue. Where TikTok says they screen videos for content, they sometimes do not. There are thousands of fake accounts out there.
One individual, let's call him "the handsome pilot," had his account spoofed and now there are duplicated account profiles claiming to be him. The bad part is they are asking for money and donations for various charities. The backlash is hitting this guy hard, and TikTok repeatedly ignores his requests to take action to shut the other accounts down. Another case is a video seen by Marketing Brew, which shows what appears to be an ad for Le Creuset, complete with its branding and logos. In it, a woman unpacks her kitchenware and admires the brand's famous bright-orange hue. The video says a 20-piece cast-iron set costs only $79.99 as part of a "clearance sale," which is the first major ??.
These sets retail for as much as $1,799.95. So do your research! "It looked to me to be too good to be true," said Sarah Baird, who's screenshot and shared questionable Le Creuset advertisements with Marketing Brew. "No way you're getting a piece for $50 or $60, or whatever the price was advertising." Even if she is getting something in return for payment, her information can be in the hands of a bad actor.
The Methods Used By The Bad Guys
Remember in the early to mid-1990s when people were tricked into divulging their calling card credentials to provide the dial-in landline number that connected a threat actor to an internal corporate comm server or a switch in a Long-Distance Carrier? This tactic has morphed into something much different now that we have evolved on the internet. The bad actors use social engineering to trick targeted users into sending millions of dollars to offshore bank accounts and using cryptocurrency to hide their proceeds since it is essentially untraceable. Forget about stealing time or minutes on a calling card.
?As I mentioned in the article, the major weakness in a cybersecurity strategy are humans. Looking at social engineering from a criminal perspective, it essentially takes advantage of a targeted user's inability to detect an attack. Although the lines between social engineering and phishing are not precise, they usually go hand-in-hand in many ways.
?In more sophisticated attacks, socially engineered attacks usually involve masquerading as a legitimate employee or deceiving an employee into thinking that the attacker is a legitimate customer. With this being the case, the employee unknowingly provides the attacker with sensitive information or makes changes to account features in a mobile phone, for example.
Your Mobile phone Tells The Story
With your number and any one of a number of common people search engines, an attacker could potentially access the following: Since many if these attacks start with a social engineered event the bad actor is always looking for ways to make the breach.
Phones are inherently personal devices and they contain a rich snapshot of our lives, from relationships to finances, to detailed information on our likes and dislikes.
This depth of insight into who we are and what matters to us makes them an incredibly valuable target for cyber criminals. Effective social engineering relies on understanding the web of emotions, motivations, and cognitive biases that govern our behavior.
In other words, the more a cyber criminal knows about you, the more easily they can manipulate you into downloading a malicious file, sharing sensitive information, or even transferring funds to the wrong account.
SIM-jacking
When we look at SIM swapping, SIM, which stands for?subscriber identity module, can give an individual access to a victim's email address, billing account numbers, and the phone's IMSI (international mobile subscriber identity) number as well as just a phone number. Having the mobile phone's IMSI number and personal information helps the hacker convince your carrier that you are who you say, so be careful. Check your account once in a while.
As we know, smartphones are in everyone's pocket. We use them for surfing the internet, getting directions, taking photos, sending messages, transferring money, playing games, etc. Our phones have become essential appendages to our daily lives. Have you ever lost or misplaced your phone??You know that sinking and desperate feeling of checking your pockets, bags, under car seats, and ultimately fearing that someone will have access to your private stuff if the phone is lost.?
?But wait! There is another way to lose your phone without it ever leaving your pocket, and it's called SIM swapping. Ask most people, and they have no idea what it is.
?SIM swapping, also called SIM jacking or SIM hijacking is a form of identity theft where a criminal steals your mobile phone number by assigning it to a new SIM card. Now, what does this have to do with social engineering? In layman's terms, SIM-jacking essentially takes control of someone's phone number and tricks a carrier into transferring it to a new phone. Thieves in many cases manage to gain control of your number by misleading or bribing someone who works for the phone carrier.?
?In some instances, they contact the carrier declaring the subscriber's personal information, which thieves can come by in multiple ways. According to the FBI, in January 2022, employees of a telecommunication company engaged in SIM swapping activity resulting in the theft of over $200,000 from victims. The employees leveraged their company's internal access to bypass account security features, conduct the SIM swap, and reset the victims' passwords. Once the SIM card was swapped to a physical device controlled by the employee or a co-conspirator, they engaged in an account takeover of the victim's cryptocurrency accounts and linked bank accounts.
?Back in January of 2018, a tenth grader by the name of Ellis Pinsky of Westchester, New York, with a team of other computer hackers — scattered across Europe and the United States — scammed their way into Michael Terpin's cryptocurrency account and fleeced it for more than 24 million dollars. Yet, in another case, on May 13, 2019, AT&T contractors and a Verizon employee was charged with assisting with SIM swapping by giving hackers their customers' personal information for money. Again, a socially engineered event involving humans constructing the scheme through cohesion or manipulation.
?There are many examples of this, but here is a high-profile case we might be familiar with when a group of hackers managed to SIM swap the CEO of Twitter's account. During the attack, distress signals were starting to filter through the organization. According to employees who worked at Twitter, there were attempts to phish employee credentials. What they did was call the customer service line and tech support personnel, asking them to reset their passwords. While some had forwarded the messages to the security team, others were gullible. They went to the hackers' dummy site and entered their credentials. Unwillingly, they served up their usernames, passwords, and multifactor authentication codes right into the hands of the bad guys.?
The Justice Department and the Hillsborough County State Attorney investigated and found that the scheme was constructed by Graham Ivan Clark, a 17-year-old from Tampa, Florida. This young man fell into Mindcraft, an online video game series that unfortunately had bad actors who specialized in scamming people and typically focused on cryptocurrency theft. But Clark was also familiar with OGUsers, a hacking forum known for selling stolen social media accounts hacked through SIM-swapping attacks, credential stuffing attacks, and other means. For reference, Credential stuffing is the automated injection of stolen username and password pairs ("credentials") into website login forms to fraudulently gain access to user accounts. Brute forcing attempts were used to try multiple passwords against one or multiple accounts, guessing a password. As we now know, social engineering is a powerful tool used to trick and blindside users into doing things that can cause irreparable damage.
?Spoofing
Spoofing for example, is a method by which a bad actor disguises an email address, display name, phone number, text message, or website URL to convince a target that they are interacting with a known, trusted source. Caller ID spoofing for example is the practice of falsifying the information about an incoming call on the receiver's caller ID display. Scammers will manipulate the caller ID so that the call appears to be coming from a local or well-known phone number, making it more likely to be trusted or answered.
In another case most users are unaware that a sender's email address can be spoofed by simply creating a familiar email address. What attackers do is register a domain similar to an official one, and by some chance, the targeted user does not notice the misspelling. Spoofing often involves changing just one letter, number, or symbol of the communication to look valid at a glance. For example, you could receive an email that appears to be from Netflix using the fake domain name "netffix.com." What can we do to eliminate that? You can set up good email security to stop spoofed senders from accessing a targeted user's inbox.?
Did you ever get a strange friend request? We all have. Hey, a new contact. Who is this person? Wow, they reached out to me. Here goes the adulation again. It is not too hard to systematically engineer an attack to butter that person up. How many people on Facebook do not make their accounts private? Just to let you know you can use Facebook's privacy menu to limit who can see your posts, profile, and more. Setting every option to "Only Me" will make your Facebook profile as private as possible, that is of course if you want it that way. Now with someone who you might be looking for that has an open door, so to speak, it is easy to find them and who their contacts are; just look under friends. Attackers compromise email accounts and spam malicious messages to the victim's contact lists. It is a common method to enter your world and gain your trust. It is one of the better ways to gain confidence. Hey, I spoke to ____, and they told me to reach out to you. Knowing who that person is giving you a sense that this person is credible. Not so fast. Always question links from friends if the message does not sound like personalized communication. In other cases, the message can be short and does not have a personalized element from friends but covers a topic of interest familiar to that person. Unfortunately, many of us are quick to tap the screen or click the mouse on a malware link; that is what the bad actor wants.
?Intel
领英推荐
So how does a bad actor set up the initial attack? When we relate to this, we can say there are several forms of phishing attacks used in socially engineered events to trick users into divulging sensitive information. If you are a bad guy and you are scoping out a target to hit, there are several things that need to be done in order to have a successful attack. As I mentioned earlier in this article you need to case the joint, before the break in or else you are going to find yourself behind bars. You need to know where things are like cameras, alarms systems, security guards and ultimately the vault. Now it is also important to know when the money is being delivered, when there is a shift change, what time the bank closes and opens? I think you get the point. All factors are important, so your plan comes together if you are the bad guy.
What is not understood is, prior to a successful attack the bad guys, not in all cases need to do their homework before they send some random phishing emails asking you to do something. ?With phishing attacks, they can be more widespread. The attacker sends out thousands of emails hoping to snare someone in their net that is one way. Spear Phishing on the other hand brings a more a more targeted approach, where the attacker knows who they want to hit. Whaling is the crème de la crème. I will address that in a moment.
What bad actors do in many cases is set up the profiling before sending a phishing email. So where do they start? They start with OSINT, open-source intelligence. Since that is the lifeblood of social engineering and is what gives the bad actor the leading edge when making the attack, OSINT information is the starting and supporting point of every engagement. Because OSINT is so important to use as social engineers, it is crucial that you understand all the different ways information can be obtained on “you” before “you” become the designated target. OSINT is intelligence derived from publicly available information, as well as through other unclassified data that has limited public distribution or access. ?Aside from devices and technology, attackers can use open-source intelligence to find information about people to design social engineering attacks, such as more pinpointed forms of attack like spear phishing. For example, attackers can find the executives of their target company through a simple Google search. They can then find executives' social media accounts to learn about their family, friends, location, interests, and hobbies. When attackers know enough about their victim, they can easily craft an undetectable social engineering attack.
?So, with their phishing poles, scammers are constantly out there promising money in exchange for monetary compensation. An example of this would be a targeted user who could get a free iPhone in exchange for shipping payments. Who in God's name is going to offer this? If the offer is too good to be true, it probably is.
?What about malicious attachments, a method used to coerce users into divulging private information? In this case, a sophisticated attack might work towards installing malware on a corporate machine using email payload attachments. Malicious email attachments are designed to launch an attack on a user's computer. The attachments within these malicious emails can be disguised as documents such as, PDFs, e-files, and even voicemails. Attackers attach these files to an email with the intent of installing malware which can destroy data and steal information in unison. The infections can allow the attackers to take control of the user's computer, giving them access to the screen, capture keystrokes, and even accessing other network systems.
?So never run macros or executables from a seemingly harmless email message on a laptop or mobile device. Refusing to respond to questions during a suspected phishing attack is another sign that the scammer should be deemed suspicious. ?Be careful but reply to the message and ask the sender to identify themselves. An attacker will most certainly avoid identifying who they are and ignore the request. There you have it; you have now swatted that annoying fly on the picnic table.
Social engineering uses emotions to trick users, like during a phishing exercise. Still, attackers use several standard methods to push the user into performing an action like sending money to a bank account and making the attack look more legitimate. Usually, the techniques involve email or text messages because they can be used without voice conversations.
Phishing, Spear Phishing and Whaling for example, in the criminal world, are social engineering tactics that can be used together. Whaling is similar to phishing in that it uses methods such as email and website spoofing as a few of the methods to trick a target into performing specific actions, such as revealing sensitive data or transferring money, as mentioned. At the same time, whaling attacks are methods used by cybercriminals to masquerade as senior players at an organization and directly target high-ranking or other influential individuals at an organization. The aim in most cases is to steal money or derive sensitive information while at the same time gaining access to computer systems.?
?When we look at examples of this, the Scoular Company, a grain industry giant with $6 billion in annual revenue, lost big to a whaling attack a few years ago. According to an article in Infosecurity Magazine, Scoular's corporate controller received a fake email pretending to be from the company's CEO that said, "For the last few months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company... This is very sensitive, so please only communicate with me through this email for us not to infringe SEC regulations." The scammers also sent the controller a fake email from Scoular's accounting firm to enhance his credibility. The controller even called the accountant's telephone number in the email and spoke with the fake accountant. When falling for the well-executed scam, the business lost $17.2 million. These funds were then sent to offshore accounts. This is very dangerous, and if your team is not educated, the price to pay can be costly. Slow down and know who you are communicating with, even if it takes another hour to figure it out.?
Vishing and Smishing Attacks
With vishing and smishing attacks, scammers use text messages and voice-changing software to send SMS messages or use those annoying robocalls telling you to put your license plate or VIN in so they can give you a price on a warranty. These scams are called vishing (voice phishing) and smishing (SMS phishing) which are texting apps to coerce you into putting your information into a link they provide. The bad guys know how much time we now spend on our phones, so they're now phishing us by text or through sophisticated apps. If you get a text message you are not expecting, delete it, especially if that random text has a link or asks you for information. Nearly 1 in 3 Americans say they've fallen victim to a phone scam in the past year, like when someone calls pretending to be from the IRS or a company inquiring about an expiring warranty on your vehicle. According to a new report from Truecaller, roughly 59.4 million Americans have lost money to phone scams over the past year, and 19% fell victim more than once.
Separating, you from your information
With many people out of work, certain employment apps can be working to separate you from your information as well. If someone needs you, let them call you. Fake websites can also phish sensitive information from unsuspecting users or job applicants.
The website?https://www.urlvoid.com ?has a free online test to see if you can spot a phony website. Other advice will be to check if the URL is misspelled, check for site seals, look for a lock, and if a TLS/SSL certificate secures it.
?Take some time to go through this test with your coworkers and learn together. ?The best way to avoid becoming a phishing victim is to slow down and be cautious. The?Stop Think Connect International Campaign?has a straightforward message. Stop before you click on something, think about what you are sharing and with whom, and then connect to the internet with confidence—good advice for all.
Baiting
In today's day and age, we have to be careful of social engineering scenarios, including baiting. This is where the victim is compromised by offering a "carrot dangler," In this scenario, the victim must pay money to receive a large payout. The payout could be lottery winnings or a free prize in exchange for a small shipping fee. An attacker might also ask for charitable donations for a campaign that does not exist.
This happens a lot on TikTok. The bad actor creates a series of videos to entice you; then, they lay out the bait for you to bite on, which is usually a link. Again, once the victims enter information into whatever portal in the canned email or link on TikTok, they open the door to the bad guys. I still don't understand how people fall for this trick.
Fear Factor
Yet another widespread method of separating money from the victim is by explaining the loss of funds or accounts by threatening prosecution, which causes fear in the victim. It is a valuable tool in social engineering. It effectively tricks users into believing that they will suffer money loss or go to jail if they do not comply with the attacker's request. This happens more than we think.
?There was a "Melissa Virus" terrorizing the internet in 1999. David L. Smith publicly posted a malicious file online, known as the Melissa virus. Since a virus requires human intervention to open and run a file, knowing what you are clicking on is paramount. This virus hit me, and it was painful. As the story went, I worked for a director at the time who sent me a file, so I thought. I remember the email that I received had an urgency about it. I didn't have time to think because the matter in which the email came to me asked me to click on the file immediately, and I trusted the source. Little did I know it was a spoofed email from the director. Unbeknownst to him, he had no idea what had happened. The macro used his Outlook and had sent emails to other contacts, I was one of them. Once opened, it cleaned out all my files with a . XLS, DOC, PPT attachment, essentially all Microsoft files. I would not have lost a year's worth of data if I had only listened to my coworkers. Nevertheless, I was warned. I had no backup either. How can an infection by viruses like Melissa be avoided? Don't interact with a file from a link: If an email sender claims to be from an official business, don't click the link and authenticate. Instead, type the official domain into the browser. Simply don't download ANY files unless you know the origin of the email. It is better to be safe than sorry, but if an email requests to download files urgently, ignore the request or ask for assistance to ensure that the invitation is legitimate.
?Be aware of strange behavior from friends and coworkers because attackers use stolen email accounts to trick users, so be suspicious if a friend or coworker sends an email with a link to a website with little other communication.
In-conclusion
Social engineering is preventable. Since many businesses are targets of socially engineered attacks, employees must be aware of the signs and take the necessary steps to stop these attacks. It should be the organization's responsibility to educate their employees, so follow these steps to empower them with the tools needed to identify an ongoing attack. Be aware of the newly released data; whether through social media or email, employees should know if the information is sensitive and should be kept confidential.?
?Always be sensitive to valuable material because PII (personally identifiable information) should never be shared with any third party unless authorized by either legal or human resources. To be safe, we all need to use policies to educate users. Employees should know what data is considered PII. This approach will give users the information necessary to act on fraudulent requests and report them to the IT security team.
?Please work with your IT department to keep anti-malware software up to date: Should an employee download malicious software, anti-malware will detect and stop it in most cases. Be suspicious of requests for data. Any request for data should be received with caution. Ask questions and verify the sender's identity before complying with the request. Train yourself and your employees to identify these types of attacks. There are several courses you can take on LinkedIn to help with that. If employees do not have the education that allows them to prepare, provide training that shows employees real-world examples of social engineering.
One of the companies I worked with is Proofpoint?www.proofpoint.com . They have a solid handle on this. They know that social engineering attacks effectively target and exploit human emotions. They have security awareness training and education programs that help employees identify social engineering attacks. They prepare users for the most sophisticated attacks while giving them the resources necessary to react, from examples of phishing emails that work alongside these attacks to other risk-based occurrences. When using real-world examples, employees will be ready to identify social engineering and respond according to the organization's set security policies.
?I hope the information in this article helps you in your quest to be better educated and well protected against the forces of evil.?
?Thank you for reading this article.
Steven Crociata
Stay Vigilant!!!
Here are some of the references I used to compose this article
?Avoiding Social Engineering and Phishing Attacks
?Cybersecurity at Work Social engineering overview
?What is Social Engineering?
?Are You Getting Phished? My article
?Mozilla Explains: SIM swapping
?Kajeet
?WEI Tech Exchange
?How 'Baby Al Capone' pulled off a $23.8 million crypto heist
?How to Identify fake websites
?TikTok is full of alleged scam artists pretending to be actual advertisers
?How Twitter Survived Its Biggest Hack—and Plans to Stop the Next One