Top Social Engineering Tricks and How to Avoid Them
News | 27 Jan 2014
Top Social Engineering Tricks and How to Avoid Them Organizations and consumers alike need to be vigilant in protecting themselves against security threats, and it’s important to know what to look for. Social engineers are trained to deceive people into giving away access to confidential information, and they are being increasingly employed by organizations to uncover security vulnerabilities, which may come from unlikely sources. Peter Fellini, trained social engineer with Zensar Technologies, shares the top social engineering tricks and how to avoid them.
Phony phone calls:Social engineers may approach an employee using unsolicited phone calls representing a person or a group that they may or may not know. One of the best ways to discourage these phone calls is to take down the phone number and offer to call them right back. A Google search on the phone number can verify whether it is valid and ensure that the phone number is not being “spoofed.”
Browser information: Social engineers can do a lot of damage with what may seem like harmless information, such as the type of browser or PDF viewer being used. These two pieces of information can allow a skilled penetration tester to create and craft a targeted attack on this person. This could be a browser exploit or a specially crafted PDF that, when opened, executes malicious code.
Phishing: Phishing schemes have evolved from the common “Nigerian Prince” scams to more sophisticated schemes that are much more difficult to identify. Phishing schemes today can look very believable, coming from a credit card company, car dealership, insurance company or even the organization’s human resource department. In order to avoid these schemes, it is important to look closely at the URL – and if it looks like there is a modification at the end of the URL – to not click on the link. If the target had already provided the social engineer with their browser information, the social engineer could then execute a specifically-crafted browser exploit, which could grant full access to the target’s computer.
How to protect yourself: It is important to be suspicious about what questions are being asked and to think about the information that a social engineer might attempt to obtain. For example, why would a salesman or a customer need to know a browser type or PDF viewer? Additionally, attachments should always be run through a virus scanner before being opened. Social engineers are skilled at coercing information out of people and exploiting vulnerabilities. By stopping to think before any information is shared (even information that does not initially seem sensitive), and by remaining vigilant, it is possible to identify social engineers and avoid opening the organization up to security threats.