Social Engineering
Quick Tips

3 Ways to Protect Yourself from Social Engineering

Introduction

Do you use a computer to get online and connect with friends on Instagram or post an update to Facebook in your day-to-day activities? Perhaps you use your cell phone to chat with far-flung family members? Does your company advertise using social media? Do you use email to communicate with anyone?

If you answered ‘Yes‘ to any of the above, you use social media and social networking. These aren’t the only social media interactions, but they are the most commonly used. Even a blog post like this one is a social media interaction.

Because you use social media, you are also very likely to have been targeted with a social engineering attack at some point in the past, and you are almost guaranteed to be targeted again in the future. Protecting yourself from these attacks is not always easy, but the harder you make it for an attack to succeed, the better.

What is Social Engineering?

Social engineering is defined as “…the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.” (Fruhlinger) Essentially, social engineering uses a person’s innate level of trust to gain information that may harm them or an entity connected to them. Examples of social engineering are varied. It can be gathering information about a person from their Facebook account and posts to make it easier to guess their access password and username. Shoulder surfing– looking over someone’s shoulder while they are working to see what sites they use or to obtain sensitive information is a form of social engineering. Social engineering can even be putting a USB drive with malware on it in a location that will allow it to potentially be inserted into a work computer (allowing the malware to bypass external controls to access the organizational network).

What types of information do social engineers want?

Depending on the goals of the social engineer, just about any information can be of value. Your name, address, the company you work for, work location, passwords, family members’ names, birth dates, social security numbers, credit information, pet names, and more. Why is this information valuable? 

Well, let’s look at some of the reasons.

Credit and social security information can be used to gain access to bank accounts, your social security benefits, create loan applications, or rent a vehicle.

Where you work may be of interest to foreign state actors looking to gather intelligence about our government and what it is planning or gain access to a corporate network to steal information on a new product or who their customers are.

Family members’ names and birthdates and pets’ names are sometimes used to create social accounts or passwords. These can be used to gain further information about you or your family or even to steal money from you if someone pretends to be a relative to fool you into sending them a loan or money to “get out of jail.”

A parent may post their child’s name, or a photo of their child, to a social network without removing metadata included in the image (this is information hidden but sometimes still accessible). This information can include where the photo was taken, which could end badly for your child.

How can you identify when social engineering is being used on you?

When you are using social media on social networks, how can you tell if someone is gathering your data, possibly for nefarious purposes? You would be hard-pressed to discover how a lot of this information gathering happens. Anything you have already posted on any site could potentially be compromising, but you may not even realize it. Reposts of your content can also stay online, even if you delete the original post.

Let’s talk about some clues for social engineering.

If someone asks you to answer questions about your family, friends, pets, previous or present addresses, et cetera, you are most likely being targeted. These tidbits of information might allow someone else to guess your answers to those nifty security questions you detail when signing up for that social account. Name of best friend in elementary school? Color of your first car? Think about the reason someone might be asking these things.

Posting a response on a site you reached by clicking on a link in your feed can also be a problem. Have you ever posted an answer only to have someone ‘introduce’ themselves to you wanting to ‘get to know you better?’ Your original post can allow this person to access your feed, even with some pretty strict security settings. If you respond to the person and that person begins asking you for personal information, they have started gathering information. 

An email is a form of social networking, so phishing is also an attack. If you receive an email that you didn’t request from someone or that looks a bit off, you are likely a target of this form of social engineering. Look for obvious indicators such as misspelling, bad grammar, or weird link addresses within the communication. It might look like an authentic and valid email but beware! If you have an account with the company or know the purported sender, but are still unsure, reach out to them directly via a separate email or even a phone call. Do NOT use the information or links provided in the communication! 

All in all, if you aren’t sure, don’t give information out without a great deal of forethought. Minimizing what you allow others to see on your accounts will only make it harder for those bad actors to take advantage of you.

So how do I protect myself or my organization?

Start by realizing that most social engineering attacks are looking for the ‘low hanging fruit,’ so to speak. A hacker or bad actor will use information gathered from the most accessible sources first, simply because to do otherwise is time-consuming and more dangerous for them. The person who posts anything and everything will be their first target, compared to the person who takes the time to consider what they are disseminating across the ether. By being aware, you are making yourself a less profitable target.

Your organization likely has some pretty robust security online but may allow workers some leeway in their break time activities. If your company permits you to access social media during breaks, is it really a good idea to do so? 

Your company should provide a secure and clean workspace, but you must also be aware of things like leaving documents out on your desk that might be sensitive or not locking your system down before leaving your work area for a break. The lock feature can be a lifesaver! Use the appropriate disposal method, such as sensitive media collection containers or shredders.

Northstarr Recommendations:

Our business revolves around helping you to protect your business from the threats inherent in how we do business today. We can look at your business processes, your IT protection efforts, and the training you use to instruct your employees, to help you better protect your interests and investments. With a comprehensive security plan and strong implementation, you can make it harder for a potential attacker to profit from the time and money you have invested.