How social engineering can be a security issue

Strong passwords, two-factor authentications, using different accounts: the basics of IT security might sound familiar to you. We have also been writing articles on the issues, but we have jet not covered a very important risk in IT security, namely social engineering. Let’s look into it, and discuss how we can fight it to protect ourselves.

What is social engineering?

Social engineering covers the techniques of getting around IT systems by not breaking through them but exploiting their human-factor vulnerabilities. Instead of cracking passwords, exploiting weaknesses of the networks or breaking through firewalls, hackers convince employees to hand over their ID and passwords for the system and let them in.

Social engineering is an essential form of hacking: it works around existing systems to get the desired result. It might be used for innocent fun, but it can be used to steal important data, identities, and violate people’s privacy. The scary part is that social engineering is relatively easy, given a little research into your target.

Social engineering methods

One of the most common forms of social engineering is to convince the target to give out personal information. However, it is not the only possible way to do it. In most cases, the target does not know they are being attacked until it is too late. “Friends” sending links to check out, as they are extremely funny are just the surface of what depths social engineering can be.

Others might bait you by sending answers to a request you never sent them initially, or sending you a clickbait of some great new movie to download. It is also common that hackers try to contact you just to get a small portion of your personal information in order to “check” something regarding one of your accounts. Armed with the knowledge it is just a matter of time to get into personal accounts.

Tailgating, or piggybacking is another social engineering attack type. This involves someone who lacks proper authentication, following an employee into a restricted area. A person might impersonate a delivery driver who waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access from someone who is authorized to enter the company.

Quid pro quo attacks are also common in companies. These involve fraudsters who impersonate IT service people and who call as many company related telephone numbers as they can. These attackers offer IT assistance to each and every one of their victims. They offer a quick fix in exchange for the employee disabling their antivirus program, and they install their own malware on the computers.

How to protect yourself

First of all, strengthen the cores: strong passwords, 2-factor authentications, using different accounts for different purposes. Diversify passwords, and never use the same password twice. Obviously, never give out confidential information. Avoid befriending anyone you do not know on social media sites like Facebook. Always double check if someone states they are calling from your local bank for checking in, and rather just avoid them and handle your matters in person, or through their encrypted online systems.

Never trust sites that are not using proper encryption. We have written about this in one of our previous articles, but the main point is to use sites that have HTTPS protocol included in them, as otherwise, hackers are able to see your activity.

Beware of open WIFI networks as well, as there are major threats regarding identity thefts and spying on your activity. Safeguard even the inconsequential information about yourself.

Beware of using security questions, as they usually easy to defeat. Users will want to pick questions that are easy to remember answers to, but that usually means they pick the questions easiest for an intruder to find out, like "Where were you born?" or "What city did you go to high school in?". Lie if you must, and remember them.

Check your accounts and account activity. There's nothing wrong with checking your Google Dashboard to see what's connected to your account every once in a while. Do this with all the sensitive accounts: cloud storage services, social networks, and email providers.

With companies, proper education is the key to avoid these attacks. Always keep an eye out for possible ways of social engineering. Its popularity is rising among even untrained and unsophisticated hackers, as it is easy to do, and one can get a ton of information at.

You might also be interested in: 

• How e-mail hacking works?

• How bad is it to use open WIFI networks?

• How cell phone hacking can affect you?