Sometimes called the art of human hacking, social engineering is a type of attack where people are manipulated, influenced, or deceived into giving access to sensitive data and computer networks.
Attackers know that taking advantage of people’s natural tendency to help and trust each other is an easier option than breaking into software or computer systems. That’s why it’s essential to understand who and what you can trust and why you need to be careful about revealing sensitive information.
In a social engineering attempt, attackers will tell a story to explain who they are. They’ve often put a lot of effort into creating and refining these stories, which make them feel very credible and familiar in the context of your work and daily life.
After telling you their story, an attacker will likely explain why they need your help and what they want you to do.
To motivate you into doing whatever they’ve asked, they’ll typically follow up with one of two things — maybe even both.
- An emotional trigger — like that someone you work with is expecting you to do this thing, and you’ll get in trouble if you don’t.
- A reward in exchange for your help — like money or a gift.
Some common examples of social engineering include:
- Emails made to look like they’re from a friend or another trusted source
- Requests for help from attackers pretending to be your colleagues
- Fake gift certificates and vouchers from well-known companies
While it’s no secret that social engineering attacks are becoming more sophisticated and harder to spot, there are some simple steps you can take to keep yourself safer.
Our top ten tips for staying safe from social engineering
#1: Keep your devices updated
Not only do you and your team need to stay secure, so do your devices. Regularly updating the software and operating systems on all your devices is a cyber security essential. Get into the habit of doing this, and you’ll have a strong foundation for defending yourself from social engineering attempts.
#2: Use trusted cyber security software
Using antivirus or antimalware software and firewalls can protect your personal and work devices from being exploited by social engineering attacks. Most operating systems, like iOS, have in-built software for extra cyber security — all you need to do is make sure you run all system updates as soon they’re released. If your operating system requires additional software, remember to download it from official sources.
#3: Verify information requests before taking action
Politely decline to answer any questions or provide sensitive information about your personal life and workplace unless you know the request is legitimate and the person is authorised to ask. If you’re not sure, check in with someone you trust, like your manager.
#4: Keep an eye on website security
Check the cyber security of websites before providing your information or payment details. Look for the website’s security status in the URL box of your browser and see if the URL starts with https://. https:// means the website has a secure certificate and your connection to it is secure and encrypted — so the data you enter will be safely and privately shared.
One caveat, though: while https:// means “secure”, it doesn’t necessarily mean “safe”. For example, a website can have a secure certificate and still steal your information — it’s just stealing it securely.
All that said, if you see the URL only has http://, be extra careful.
#5: Use official sources to confirm information
If you get a request by phone or email that you think is suspicious, contact the company directly using information from their official website and check if the request is legitimate.
#6: Protect your accounts with two-factor authentication
Turn on two-factor (2FA) or multi-factor authentication (MFA) on your accounts. 2FA and MFA are reliable ways of only allowing account access to the people who should have it, and these people can prove it by providing a password and something else (like a one-time token in their authentication app).
#7: Use a password manager
Using a password manager is also a smart option for protecting your accounts. It allows you to use long, unique passwords for each of your accounts more easily and gives you a trusted way to store them safely.
#8: Switch your email to a more secure platform
Consider using a cloud-hosted email platform. Popular options like Gmail and Outlook have advanced cyber security systems to detect scams and filter fake emails.
#9: Do some cyber security awareness training
Sign up for a cyber security awareness programme, so you and your whole team can be up-to-date with the latest practices for staying safe and secure online.
#10: Run backups regularly
Keep backups of your important data. If you lose access or data due to a social engineering attack (it happens), this will make bouncing back much more straightforward. Many modern operating systems have cloud backup solutions you can use to keep your photos, files, emails, and other essential things backed up. If you’re not convinced about backing up to the cloud, you can always go for using a trusty physical hard drive.
Want to take the next step?
Ultimately, increasing cyber security awareness across organisations and their teams can significantly reduce the risk of social engineering attacks.
SafeStack Academy offers a wide range of courses in our ongoing Security Awareness programme, and we regularly release new content, so you’re always up-to-date.
Grab a 14-day free trial to explore the whole programme, including our dedicated course on social engineering.
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us. Drop us a line at email@example.com and let us know what you think.