Most people think they can spot an online scam a mile away. This may be true, but all it takes is for your guard to be down some sleepy, Friday afternoon and you accidentally click a link you shouldn’t have. The reason there are so many scams out there is that, every single day people fall for social engineering attacks designed to steal info or install viruses on electronic devices. Even I nearly fell for an attack last year. Once the attacker has your info, they have the potential to do thousands of dollars of damage to you or your company.
Types of Social Engineering Attacks
Phishing – Scammers send out fraudulent emails, trying to get your personal details, financial information, or login credentials. Another type of phishing known as vishing gets you to call a phone number that mimics the automated phone system of a company.
Baiting – Emails, online articles or ads can entice you to click fraudulent links. These links could offer a free download or service of some type. At this point, some types of viruses may be installed on your computer or phone. This kind of attack has even happened with free USB drives given as gifts. Once the USB is plugged in, a keylogger is installed, giving attackers employees’ login info.
Pretexting – Attackers will create a plausible story of some kind to steal your information. They may ask for sensitive info to “verify your identity.” The attacker may even impersonate one of your co-workers.
Piggybacking – In this type of attack, a cyber criminal will physically enter your office building. If there is a lock or keypad, they may ask an entering employee to hold the door open. They could be impersonating an employee, a delivery driver, or even a maintenance service. They then use their access to steal physical info or data from an employee’s computer.
Steps to Take to Avoid Social Engineering Attacks
Be suspicious. If someone is asking for personal info, passwords, or financial info, red flags should go up in your mind. If the email you receive looks slightly “off” from official emails, has misspellings, seems unnecessarily urgent, or is from an odd email address, you should verify the authenticity of the email. Using your mouse, you can hover over links in your email to see the actual URL the link will direct you to. If you’re unsure, get a second opinion from a co-worker.
Have a strong email firewall. This should ensure most scam emails will get filtered out before they get to your inbox.
Warn others. If a scam email gets through to your inbox you should email others warning them not to open it or click the links. It may seem like an obvious scam, but if your company has lots of employees who received the same scam, there’s a possibility one of them will fall for it.
Install protective software. Make sure your computer has a firewall, antivirus software, and possibly browser plugins to protect you online. I like to use browser adblocking plugins and the plugin Ghostery, which stops web applications and plugins from functioning. These plugins have the potential to cause the website you’re visiting to display incorrectly or make it unusable, so you should whitelist trusted sites.
Have strong security in your office. Besides typical physical security such as cameras or door locks, set up company computers to automatically lock if they are idle for more than 5 minutes (or even less). Also, don’t leave sensitive data just sitting on your desk.
Use strong and unique passwords. If you create an account for a website, be sure to not to use the same password as other websites (especially your email password) because a shady website may use this info to gain access to your other various accounts. In addition to a password, some websites offer 2FA (2 factor authentication) where you are required to receive a code via email, text, or specialized 2FA program. There are various password storage solutions that may be able to help you keeps track of all of these unique passwords. Also, periodically change important passwords in case one has been compromised.
Back up your data. Have a backup of your computer’s data available. If your computer gets a virus, you can just roll-back your PC to a previous state. If there’s data on your computer that you absolutely can’t lose, have a physical backup (like an external hard drive) somewhere that is secure – either a safe cloud storage program or protected drive on your company’s server.
I’m a millennial who grew up using computers and, as I mentioned earlier, I almost fell for an online social engineering scam last year. I received a legitimate looking email that took me to a website that was identical to the official website. I began typing in my information but I noticed the URL seemed a bit odd. This scam website made use of punycode URLs that are encoded to imitate the official URL. So instead of “ryanair,” a punycode URL would show ryanaır. Or instead of “rolex,” the URL could show rolẹx or rołex. It may be easy enough to spot the differences when you read them here, but if you’re not even looking at the web address box, you may not notice something is wrong.
As long as people continue to fall for them, social engineering attacks are here to stay and will continue to evolve and become more sophisticated and sneaky. No one is 100% safe from social engineering and other types of cyber attacks, but with knowledge and vigilance you can do your best to keep you and your company safe.
Luke Westberg is the Director of Digital Marketing at A and H. He started in April of 2019 and has been working in the online marketing field since 2008.