Social Engineering Part 3: Social engineering prevention techniques
Social engineering is a form of security fraud that relies on psychological manipulation techniques to trick people into revealing sensitive information.
In the previous two articles in this series, we discussed in depth what social engineering is, and highlighted a variety of both common and sophisticated social engineering attacks. The third and final part of this series will outline the most effective way to detect and stop social engineering attacks, and how to educate your employees so that they are less likely to become a victim of social engineering schemes.
Social engineering prevention techniques
Vishing – hang up and call back
If you receive a phone call you were not expecting, and the caller is requesting urgent or immediate action on the matter, then there’s a chance it could be a social engineering attack. Imagine you are in this scenario, and you are aware of social engineering schemes, so you take some steps to verify whether the person you are talking to is legitimate:
- You search their name on LinkedIn and you find a profile that matches the name, company, and job title they stated earlier in the call
- You find that the caller ID matches the phone number for this person on their LinkedIn profile, as well as on the company website
While all this information appears to show that the person on the other end of the phone is legitimately who they say they are, there is still a chance this could be a social engineering attack. Even if the caller is using the name of a legitimate person within the company they claim to work for, and their caller ID appears to be showing the same phone number associated with their social media profile, they could be using information gathered during the investigation phase of the social engineering lifecycle and using a tool to spoof the caller ID.
If this is the case, what is the best approach to prevent social engineering in this situation? In the case of vishing, the best approach would be to hang up the phone and call them back. While the caller ID can be spoofed, when making an outbound call to the phone number it will only connect you to the legitimate number and will not re-connect you with the previous caller. Alternatively, you could try contacting the individual using a different communication method, such as an email or social media message, to verify whether it is legitimately them on the other end of the phone. Using alternate methods of verifying a person’s identity is one of the best ways to prevent social engineering attacks.
Never give your password to anyone – no matter the circumstances
While this may seem like an obvious one, research has found that over a third (34%) of US adults willingly share their passwords with colleagues. A common social engineering technique to acquire passwords is to impersonate a member of the IT department and request personal login credentials to install a new system, or to run an antivirus software on your account. Like the above the best way of preventing social engineering in this situation is to verify with another colleague or team member before complying with the request.
Avoid clicking links in emails you were not expecting
Again, this may seem obvious – but it is not always evident when an unexpected email contains a phishing link. In part two of this series, we discussed the ‘birthday coffee method’ of spear phishing, where a victim may receive an unexpected email from their company’s HR or wellbeing team congratulating them on their recent birthday and offering a free coffee as a gift from the company. Whilst this might be unexpected, it is common for companies to provide their employees with gift vouchers to celebrate birthdays, work anniversaries, or public holidays. Taking the following steps before clicking on the link helps with social engineering prevention:
- Check the email address. Is it the same email address you usually receive HR or wellbeing emails from? If yes, remember it could still be spoofed so take further precautions before clicking.
- Check the header. Does it look as expected? Compare it with other emails you have received from the HR and wellbeing team in the past.
- Hover over the link (but do not click!!!) and check the source. Where is the link taking you? Is it a website you would expect?
- If the link is asking you to log in to your employee portal, go straight to the browser and login to your portal instead of clicking the link.
If still in doubt, check with a colleague or use an alternative method of communication to contact the sender themselves.
Organize frequent social engineering refresher sessions for your employees
The best way of preventing social engineering attacks is to continuously educate your employees on what to look out for. If you have a social engineering prevention policy in place, make sure your employees are aware of it, and they understand the steps to take if they think they have seen a social engineering attack, or have been a victim of any social engineering schemes. It’s also a good idea to reassure them that they will not be reprimanded if they happen to fall for any social engineering schemes, and to report any potential social engineering attacks or breaches as soon as possible. Education and awareness for every employee within your company is essential for preventing social engineering attacks.
While there are currently several social engineering prevention techniques such as the ones outlined above, preventing social engineering attacks is a continuously evolving process. Attackers will continue to develop more sophisticated social engineering schemes and, like with any type of online fraud, any social engineering prevention policy your company has in place will have to continuously evolve to keep up with the attackers.
web applications with Netacea's
Intent Analytics™ engine