What are the Signs of a Social Engineering Attack and How Can you Prevent Them?
Social engineering is the most significant risk in the cyber threat landscape today. Over 98% of cyber attacks rely on social engineering target staff as the primary attack vector, but many of you already know that.
What are the signs of a social engineering attack? If an unknown person has got in touch via phone, email, or other internet-based connection, these are the signs that they may be part of a social engineering attack:
- They ask for your private information or for you to do a task
- They pressure you to respond quickly and not tell anyone else
- They use fake contact information or are impersonating someone
How can you prevent a social engineering attack? Social engineering attacks can be prevented by making sure your staff are trained in security awareness. This includes knowing the attack signs to spot, rejecting requests for offers for help from unknown people, setting spam filters across platforms, keeping passwords private, and maintaining anti-virus software.
Read on to find out more about the signs of a social engineering attack and how they can be prevented.
What are the Signs of a Social Engineering Attack?
“Social engineering” can refer to various activities which threat actors use to trick end-users into providing sensitive information like login credentials. Social engineering has been around forever and has proven to be one of the easiest ways for Threat Actors to access our systems. Read about the classic types of social attacks in our blog post, or, read about the ways that you can tell when someone is trying to access your business systems:
1. The Feeling of Urgency
The communication will make you feel like you must act now or else. For example, an email could be saying, “give us your details, and you get a £500 voucher card.” If a message heightens an emotion making you rush to respond, it may be a social engineering attack.
Quick Tip: To protect against this, wait 90 seconds before responding to anything and then go over the message again, to see if it still seems legitimate.
2. Intrusive Questions
The questions asked by an attacker can sometimes be a dead giveaway that it’s a social engineering attack. This can be either through the number of questions asked or the type of questions. For example, a ‘salesperson’ you don’t know might ask questions about where data is stored and what security you have. In that case, they could be a malicious attacker posing as a salesman. Also, if the questions are about your password or ‘memorable answers’ — this is a red flag that you are being targeted.
Quick Tip: A control to protect against this is always a question IF someone should be given the answer to their question.
3. Vague When Identifying Themselves
A clear sign is an absence of specific and reliable information on who makes the request. If they give their name and business, but the evidence cannot be verified immediately, this could be a sign of a social engineering attack.
Quick Tip: When “Jack the IT guy” calls, make sure you can verify the details given to you and confirm their identity. This can partly be done with the next section.
4. Bogus Contact Details
If someone provides details that cannot be contacted or do not exist, this is a sign that someone is trying to social engineer you. An example is if Jake calls from a ‘personal number’ and insists not to use the official number for their department because the system is “down”. This could be an attacker covering up their real intentions to look legitimate, meaning if you call the number, someone else will likely be on the receiving end.
Quick Tip: To check this, insist on calling them back on the official contact details available online (or within your business).
5. Incorrect Personal Details
Incorrect personal details are most prominent in emails but have also been used in other forms of communication such as phone calls. An attacker will send a message which looks personally addressed to the target, but the information about you is incorrect.
Quick Tip: So, if you receive a message like “Hey Jen23, I am a friend of Jake in IT” be sceptical. Social engineers use information about their targets to make them feel a connection so that they are more willing to respond.
How Can You Prevent Social Engineering Attacks?
Manipulating human beings for access works, and believe it or not, all attacks are based on just four simple principles: Trust, Authority, Intimidation and Scarcity. Given the prevalence of this risk and its potential impact on your businesses, it is critical to train your staff to spot a potential social engineering attack, and it’s easier than you think.
How Should You Train Staff to Spot Social Engineering Attacks?
To begin with, all social engineering attacks share a common mechanism: an exchange of information. Any form of communication (written or verbal) in which the exchange of information requested may potentially be a social engineering attack. You might ask, can this be any form of communication? Yes, such as filling out a form on a website or on a phone, logging into an application, and taking a survey.
Getting staff to understand that they must be vigilant when requested to provide information is the key to your cyber security awareness training on social engineering. From there, you should train them to look for the following five flags typically associated with a social engineering attack – the feeling of urgency, intrusive questions, vague identification, bogus contact details, and incorrect personal details.
eRiskology™ Staff Security Training Course
If you need assistance in employee security awareness training, try our eRiskology™ course, which helps to instil an information security awareness culture within your business. eRiskology takes your employees through 4 harmonised learning paths: face-to-face workshops, computer based training programmes, engaging real-world content, and measurement through social engineering testing. To ensure your staff retains important information during training, read our top methods that we outlined in a recent blog post.
Social Engineering Testing with Risk Crew
Simulated exercises or attacks can be implemented in conjunction with staff awareness training to measure awareness. Risk Crew’s CREST accredited testing engineers are experts at social engineering testing. The service results in a detailed report that:
- Benchmarks the security awareness level of your staff
- Identifies weaknesses in operational and business processes that could be exploited for unauthorised access
- Spotlights vulnerabilities you may have overlooked within your people, process and policies
- Gives invaluable insight into the genuine level of security your information security risk management programme provides