Social Engineering and IT Security

Image Description
Written by

Brendan Roberts - MSP Operations Manager

Published Wednesday, October 28, 2020.

You don’t need a degree in engineering to socially engineer! BEWARE!

Social engineering is a common tool in the back pocket of the common, devious, online opportunist. In general, social engineering can be defined as manipulating people and tricking them into supplying confidential information. These types of attacks can take many forms and target different types of information, such as user account credentials, banking details, computer access, and more. Ultimately, this information is sensitive and its safety is critical to maintain business continuity. As such, it is a good idea to ensure yourself and others in your work domain are aware of the impacts of this style of attack and how they commonly are carried out.

Examples of significant attacks

To better understand just how important it is to protect yourself from social engineering, lets have a look at some significant attacks that targeted some multinational organizations and lead to significant ongoing problems.

  1. Shark Tank Judge Blunder: In 2020, a party impersonated the Assistant of US Sharktank judge, Barbara Corcoran, sending an email to an internal accountant, requesting a real-estate bill to be renewed for the year. The criminal got away with $400,000 USD.

  2. Democracy Manifest: In 2016, Fraudsters leaked confidential democrat party emails by emailing users, inviting them to change their password due to suspicious activity and gaining access. The resulting leak likely, swayed Hillary Clinton’s campaign against Donald Trump.

  3. Un-security: In 2011, Security Company, RSA had an excel file circulate their network titled ‘Recruitment Plan’. Upon opening the file, a malicious script ran – opening a back door into their systems and costing the company $66 million to date!

What does Social Engineering look like?

Now that we understand just how detrimental a social engineering attack can be to a business; how do we identify one? Typically, these attacks propagate via email. These emails often disguise themselves as a trusted source, requesting information like passwords, asking for help or charity, notifying you’re a winner of some fake prize, containing dubious url links to third party sites or hosting malicious attachments. You may even find that a friend or colleague’s email has been compromised and is being used to deliver such payloads. Generally, these attacks are referrred to as phishing attacks.

Social Engineering attacks can also occur over the phone so beware! An unknown party will begin by engaging you in a phone call or message chain, masquerading as an authoritative party. As the conversation continues – these criminals will then seek to request information or even money from you – leading to a security breach.

So how can you protect yourself?

There are a wide range of things you can do to ensure you do not become the victim of these attacks.

  • Look carefully at suspicious looking emails, investigate and confirm their sources and be wary of any links leading to other websites or attachments.

  • In the event of being phone called, seek information to confirm whether the source is trusted or bogus by asking for proof of authority. Always be sceptical.

  • Slow down and think before handing over information. Often these attacks are designed to put you under pressure and acquire information from you fast; take time and think over the facts.

  • Set your email spam filters to high and implement stringent filtering rules.

  • Equip your devices with antiviral software and firewalls and ensure they’re kept updated.

Want to improve your IT security? Suffering from a social engineering attack? We can help. Give Lumity a call on 1300 586 489.