Blog

What is Social Engineering, and How Can I Stop It?

What is Social Engineering, and How Can I Stop It?

Let me ask you a few questions—first, how confident are you that you could spot an online ruse, and second, did you know there’s a stain on your shirt right now?

Did you look?

If so, you’ve just fallen for the school playground version of social engineering, a serious threat. Let’s discuss the kind that you’re more likely to see in terms of your business’ cybersecurity.

To begin, let’s analyze what social engineering really is, and why it works so well on us.

Social Engineering is Emotional Hacking

When all is said and done, that’s really what it boils down to. Instead of trying to find the right combination of 1s and 0s to bypass your cybersecurity, social engineering is the use of the right emotions and thought processes to bypass your human employees.

Let’s examine the stained shirt example I provided above. While it probably wasn’t as effective coming in through text, chances are good that you’ve also experienced the old-fashioned version where someone pointed at your shirt and flicked your nose when you looked down—more than likely, many times. Why do we keep looking?

We do so for the same reason that social engineering works—hearing that we have something on our shirt has some effect on our emotions. We fear that we’ll look silly, or sloppy, in front of people we respect and (more importantly) we want to respect us. The need to confirm that the stain is there becomes so urgent in the moment that we have to look down immediately, despite being intimately familiar with this kind of trick.

In addition to all this, this trick is usually played by someone we trust. This will be important to keep in mind later.

Of course, in a business-focused social engineering attack, the stakes won’t often involve a bit of the special sauce from the #5 value meal on your shirt. The professional kind of social engineering plays on different fears and anxieties that are more directly related to the workplace. Since this usually takes some preparation, let’s go through the steps that the person behind the attack will generally take:

How an Attacker Prepares Their Social Engineering Attack

With some variance in the time spent by an attacker based on how sophisticated they want their attack to be, the first step the attacker will take is to plan their attack, doing their research to figure out their most effective option to fool someone. Let’s step into their shoes for a moment and run through what this research might look like.

Let’s say we wanted to attack XYZ Widget Company. As social engineers, our first step is to collect as much data as we can on them. The Internet and its plethora of open-source intelligence (OSINT) make this easier than you might expect. For example, we could turn to the company’s LinkedIn, and discover that Jane Doe and John Q. Public both work there in customer-facing roles. A quick jaunt over to Facebook might reveal that Jane enjoys doing crossword puzzles and fantasy sports, while John is big into DIY activities, ranging from cheesemaking to quilting. From there, it’s an easy matter for us to reach out to either Jane or John using the OSINT we’ve collected and gain some of their trust. Once this trust has been established, we stand a pretty good chance of convincing them to give us more access than is warranted, or share information that they shouldn’t have shared.

Of course, we could also take the simple route and instead try our luck with fear tactics. It’s generally a safe bet that an employee doesn’t want to get in trouble in the workplace, so sending a message that claims they’ve done something wrong or need to address something right away—posing as an authoritative figure or representative—might just motivate them to take action.

If we’re really resourceful, we could utilize both. Maybe John Q. Public had a recent picture on his Facebook with a laptop in the background and the caption, “Just hanging at home on my day off.” If we can tell that the laptop has an integrated webcam, we could just as easily reach out to John Q. claiming that we have footage of him doing “certain things” as he used the laptop, threatening to release the footage to all his contacts—personal and professional—it if he doesn’t provide us with the information we want.

What Your Team Needs to Do To Avoid Social Engineering

Stepping back out of the role of attacker, it should be clear how important it is that your team is able to spot the hallmarks of such attacks, like:

  • Messaging and tone that incites fear or makes a threat
  • Links that were not requested and don’t match their apparent destination when you hover over them
  • Close-but-not-quite email addresses and domain names
  • Malicious email attachments

Furthermore, it never hurts to confirm any suspect communications through another means. For instance, if you get an email that seems to come from your boss that makes an odd request, don’t hesitate to give them a quick call or pop by their office to confirm it is legitimate. I promise, they’ll be happier that you checked—it shows you were cognizant of the threat of social engineering.

Lean On Us to Prepare Your Team to Deal With Threats!

White Mountain IT Services is here to help your team ready themselves to be the security asset they should be for your business. Find out what we offer by calling 603-889-0800.

Related Posts

Your business is your livelihood, so it only makes sense to invest in its protections so that your livelihood is secure. This will require a strategic approach. Let’s go over what your business needs to remain sufficiently secure, and what you should...
We’ve been known to take a bit of an extreme approach to cybersecurity—your business is at constant threat of being attacked by all manners of threats and all that. While we stand by this approach as an effective way to boost awareness and adherence ...
Cloudflare has foiled the plans of yet another major hacking attack, a record-breaking DDoS attack of the likes we have never before seen. Let’s examine what goes into such an attack and what you can do to keep your business safe from their influence...
Businesses today have to deal with more potential problems than in any time in history. They are dealing with cost increases at every turn, personnel shortages, and a regulatory landscape that is always evolving. One of the biggest issues that can ha...
A lot has been made about the Internet of Things (IoT) over the past couple of years. People have been purchasing technology they can control from their phones or from centralized smart hubs and it has resulted in a shift to the way people interact w...
Data breaches—any event where a business’ confidential data is viewed, copied, or stolen by an unauthorized person or party—are a serious problem. Unfortunately, they are also a serious problem that can be caused by no shortage of situations. Let’s r...
We’ve all seen our friends and family sharing quizzes on their social media profiles, prompting people to find out what their celebrity stage name or what Hogwarts house you would be in, or to share what their first concert experience was. These fun,...
Cybersecurity is an important subject for a business’ entire team to appreciate, particularly when it comes to the minute differences between different terms. For instance, a layperson might hear “breach” and automatically think “security incident.” ...
Data breaches are an unfortunate reality in this day and age, even during the holiday season. While it is important to do everything you can to prevent these kinds of disasters, you need to be prepared to deal with it—both in terms of your operations...
A vulnerability in Microsoft’s MSHTML browser engine has been discovered and tracked by Kaspersky. It is being exploited all over the world right now. How can you avoid this vulnerability so that it doesn’t affect your business? Let’s find out....
Phishing is one of those threats that has been around for a long time, and as time passes by, these threats only become more difficult to identify. Some businesses can’t tell the difference between phishing scams and actual emails. Here’s how your co...
Cybersecurity is a massively important consideration for today’s businesses, and as a result, managing it is often given a considerable amount of time. However, recent developments suggest that this time can potentially be reduced by the use of “self...

Onsite Service Coverage Area

Although we provide remote services and support to businesses in over 20 states, onsite services are limited to within reasonable driving distance from our offices in NH.  We will manage a local vendor for locations outside of our service area to provide onsite assistance when needed.

 

Onsite Computer Support Services are available to businesses within 60 miles of Nashua New Hampshire. We have excellent onsite coverage from Concord NH, south through Manchester NH, and then down into Boston. From Northern and Central Mass, we cover from Worcester, east to the North Shore, including the Salem and Portsmouth NH area.

White Mountain IT Services

 


33 Main St, Suite 302
Nashua, NH 03064

 


121 Riverfront Drive
Manchester, NH 03102

 

Client Help Desk
603-889-2210

 

Open Positions