How to prevent social engineering attacks
We have heard a lot in the recent years about organizations and general public getting conned and enticed into giving out sensitive information. Unscrupulous persons posing as bankers or insurance agents have successfully extorted information and then money from naive people who just do not know what needs to be done in that situation and become victims. In security terms, Social engineering is set of techniques that influence or manipulate persons to divulge information that is sensitive / confidential in nature. The sensitive information can include your user names, passwords, pins, credit card or debit card numbers, social security numbers, insurance details, etc. So, we now know what is at stake. Social engineering attackers use telephone, email or can present themselves personally and influence people to obtain information / money using various social engineering techniques. Such techniques include vishing (voice phishing which is committing fraud through telephonic conversation), phishing (obtaining information fraudulently through emails or text messages), smishing, spear phishing, baiting, etc. So, keep the following in mind to know how to prevent social engineering attacks.
- Do not divulge your credentials to anyone: No company or Bank or Insurance company will ask secret information such as One time password (OTP), user names, passwords, or other personal / private information. So, when you are asked about these details over phone or by email or by a person knocking at your door, be alert and refuse to provide such personally identifiable information. Time and again, our Government organizations and Banks keep warning us about the same.
- Limit the information that you put online: Prevention is better than cure. So, limit the information that you put on online sites and social media sites. You may get excited to put lot of information that you intend your near and dear ones to see. But remember, internet is public and your information can also be seen by criminals or unscrupulous persons who will use it to their advantage.
- Be sure that emails are from trusted source: Attackers can make emails look original and authentic coming from a legitimate organization or Government authority or Banks. They can entice you to log on using links that seem believable. Please make sure that the emails are from trusted source before clicking those links or giving out any information. Best is not to respond to them, mark as spam and trash them. One way of checking that an email has come from a legitimate source is the domain of the email id. Professional organizations send such emails using ids that are from that organization’s domain.
- Do not open suspicious attachments: Social engineers can entice you to open attachments that can trigger malicious activities leading to compromise of information. If you are not sure what to do, contact the concerned trusted authority to check and confirm if the attachments are safe to open. You can also run anti-malware scans on the attachments.
- Do not act in haste: There may be emails or messages that forces you to respond to something quickly. It may say “Hurry up ! Last date is tomorrow for Jackpot winners to respond”. In such cases, take time to study the source of such email or messages and do not act in haste and divulge any information.
- Do not fall prey to Baiting: Baiting is a social engineering technique that exploits the curiosity of the person where the attacker leaves a piece of information deliberately to entice people who may then give out sensitive information. Classic example is USB sticks left in public deliberately to make people to connect these to their systems and open files and/or folders that have names like “Confidential files”, “Secret photos” or any other curiosity arousing names. Never fall into such traps by never picking up such USB drives found in public places.
- Beware of the Vishing calls: Social engineers make telephonic calls to trick people into giving away personally identifiable information and/or sensitive Organizational information. This is called Vishing call. When you get such calls, do not engage in a long conversation and cut the call saying that you are not authorized to disclose such information and tell the caller not to contact again.
Above article on How to prevent social engineering attacks was written by: Sudhir G K, Information Security and Management System Consultant, Inzinc Consulting India
Useful link: ISO 27001 training