Social engineering is where an attacker uses human interaction (i.e. social skills) to acquire or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, maybe claiming to be a new employee, a repair person, or researcher and even sometimes offering credentials to support that identity.
By asking the right questions, they may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
Some attackers are even so bold as to ask you for access to your system to “fix” an issue you may perceive to have, by sending you to a website, and installing a remote support tools (back doors).
Another form of social engineering used by attackers are Phishing Attacks.
What are Phishing Attacks?
Phishing attacks, typically come in the form of an email, in combination with a malicious website, and are used to gather personal information by posing as an organization you know and trust.
As an example: You receive an email appearing to come from your bank, or credit card company, indicating you need to update you information on their portal. In this email, they conveniently place a link to what appears to be the bank’s website for you to click on. When you as the victim click the link, you are brought to an exact copy of the website, where you enter in your login name, and password. Most often, the login will fail, and then redirect you to the right website, where you’ll just assume you entered the wrong info, and try again, which of course this time will work. Guess what? You have just provided the criminals with your login details. You’ve no doubt already received many of these types of attacks, even if you don’t know it.
How to Protect Yourself?
- Do not provide personal or financial information about yourself, or your organization unless your are 100% sure the person has authority to have the information.
- Be suspicious of any unsolicited phone call, physical visits, or email messages from people asking about employees or other internal information.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (.com instead of .net).
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Take your time. Many of phishing emails, try to make you think it’s urgent, and act quickly. Take a few moments to review and make sure the email is legitamate, or that the website you are visiting is legitamate.
One on One Security Assessment
If you want to make 100% sure that your business computer systems are secure, or you would like to schedule a one on one to evaluate and get a second opinion on your business security, please call 905.346.4966 and ask to speak with Bryan or email me at firstname.lastname@example.org