What is social engineering and why does it matter? In the context of information security, it is a hacking tactic designed to psychologically manipulate or “trick” a person into performing actions or divulging confidential information. Social engineering threats are a wildly popular way for cybercriminals to get access to money or damage a company’s reputation. In fact, social engineering attack statistics in the past year are daunting. In 2018, more than 17% of workers fell victim to social engineering attacks, according to InfoSecurity Magazine. This is problematic, as you can imagine because it disempowers people who place their trust in digital communications and leaves them feeling scared to engage with anyone online (especially if they’ve fallen victim to an attack already). Likewise, the propensity of workers who fall for these attacks tells cyber professionals that more needs to be done to: 1) educate people on what social engineering is, 2) how it manifests and impacts your personal life, and 3) the effects it can have on companies whose workers succumb to the attacks. In this article, we will discuss ways to recognize social engineering in your digital life and how to increase your cyber security awareness for these types of attacks using…games (yes, games!). More to come on that later.
Types of Social Engineering Attacks and How to Spot Them
Social engineering techniques come in many forms, but one of the most common ways to manipulate a person is via phishing email or a phone call. A malicious hacker could pose as one of your email contacts and send you a message to get personal information. Or an email aligning to your interests that seemingly comes from a store you frequent could allow a hacker access to your bank account. Perhaps your friend reaches out in need of help for an issue they are experiencing. One click in that email and a cybercriminal has instant access to all kinds of data about you from the operating system you use, even your social security number.
Some warning signs to think about if you believe you’re being attacked:
- A hacker won’t give you their contact information, name, phone, or email address; they tend to pose as “someone else” familiar to you; if you’re at all suspicious and ask for their real name and info, they won’t divulge.
- Hackers might come across with a sense of urgency and you need to act quickly to prevent something bad from occurring.
- They might intimidate you to convince you to take action by informing you of an “issue” using technical words they know you won’t understand, yet seem legitimate.
- They could misspell words in their communications or ask odd questions to get you to reveal more information.
- Effective social engineers will try to build trust with their victim first by associating themselves with a reputable company or simply starting a casual conversation about a topic of your interest.
“My mom just became a victim of a social engineering hack recently…A person hacked into her email and she received a notice her firewalls were damaged and that she needed to pay money to have them restored before her data was compromised…a few hours later she found herself on the phone with a supposed representative of a reputable tech company giving out her credit card info to remedy the situation. It was incredibly disheartening to hear and I felt terrible that she experienced that. Fortunately, she was able to get her money back but this wasn’t the first time she fell victim to such a scam.” ~ a Circadence employee
This is just one example of what can happen when someone is unaware of social engineering tactics or just doesn’t know how to recognize them.
How to Protect Yourself from Social Engineering Attacks
Understanding defensive strategies will help anyone looking to “up the ante” on their social engineering detection prowess. Some strategies include:
- Know what “bad” emails look like/email sender email address
- Identify suspicious website URLs
- Set spam filters to “high”
- Update your passwords regularly (and don’t just change one character to make it “new”)
These are just a few options but honestly, one should not simply “pick and choose” from the above options in a silo. Those looking to protect themselves should adopt what SANS calls a “multi-layered” defense against social engineering, where if a hacker penetrates one level of protection, he/she can’t get into the next layer without being “found out.” And when all else fails, trust your gut! If something seems strange, out of the blue, or too good to be true, it probably is.
Persistent Cybercrime Requires Persistent Cyber Learning and Training – with Games!
Security awareness and defensive strategies are more than just telling people to update their software when prompted. It requires a deeper analysis and understanding of what, when, and how cybercriminals exploit vulnerabilities (and warning signs you’re being attacked).
Further, as social engineering attacks infiltrate and impact businesses, employees need to know what confidential information is, how to identify sensitive data, and how they as individuals can safeguard it simply by being proactive and cautious in their everyday online behavior. Nobody is immune to a social engineering attack and malicious hackers are working new vulnerable people every day to make progress and get what they want. But don’t let the “doom and gloom” of persistent cybercrime get you down…get empowered and fight back!
To begin a journey toward social engineering self-protection, we recommend looking into tools that help you learn cyber security basics and foundations. Our inCyt tool can help with that. It is a gamified security awareness training solution that doesn’t require any prerequisite knowledge of cyber security to play.
Accessible via a browser, inCyt invites players to complete in epic cyber-themed battles to increase the Cyber IQ of all players. Players gather intel and then use gamified hack processes like phishing and malware to take out their opponent. It disrupts the standard, stale teaching options currently available by giving people instant, approachable access to learning cyber in a fun way. Non-technical employees too, can play and learn real-world concepts like social engineering.
Social engineering is a very real threat and one that isn’t going away any time soon. Once companies realize that every cyber vulnerability starts with its people knowing and understanding how to protect themselves, the more companies will be on the defensive against these types of attacks. A willingness to empower oneself with persistent, gamified training and a multi-layered defensive approach is key to stopping social engineering hackers in their tracks. If more people adopt these strategies, social engineering will become much more difficult to deploy.