Cybercriminals manipulate emotions and social intelligence to exploit internet users. How do you defend against that?
They befriend you before they exploit you. Social engineering is a kind of cyber attack that many people do not see coming. Even those who are competent when it comes to technology cannot always foresee these unsuspecting pitfalls. These kind of attacks are quite different from the malware and bugs used to exploit computer systems. The art of social engineering focuses on taking advantage of the weaknesses of being human. Dealing with such trickery is no easy task.
In order to successfully defend against social engineering, it is important to look at the statistics. According to a survey by Social-Engineer.com, 90% of all email is either spam or littered with malicious software. That is an immense number considering how much email is sent on a yearly, or even on a daily, basis. The survey claims that 294 billion emails are sent daily, with 107 trillion being sent every year. Many of these emails are the innocent-looking phishing emails targeting billions of internet users on a frequent basis. With such mass distribution, cybercriminals can still expect lucrative results, even if only a few thousand click on the links or open the attachments included in the messages.
The same survey also found that the average age of the those victimised by impersonations on the web to be just over 40 years old. This is almost expected. Typically, older internet users, who may not always be as used to technology as that of the younger generation, can often be particularly susceptible to the schemes utilised by social engineers. However, this does not mean minors are exempt; equally younger users, with their general naivety and curiosity, can also fall for the traps.
For cybercriminals, the attacking surface is very broad. This is for the most part, down to inexperienced, careless or gullible individuals of whom make it very easy for hackers to infiltrate systems, steal and manipulate sensitive data and commit other malicious acts. All it takes is one employee to click on an infected link, or one public sector worker to give away precious confidential to a fraudulent website. Therefore, it is critical that businesses, governments and anyone who is online to take the actions necessary to implement a universally robust approach to security. Unlike malware, using anti-virus programs or firewalls, or even updating operating systems to the latest versions, cannot be relied on to completely defend against cybercriminals manipulating emotions and social intelligence to get what they want. Other steps need to be taken if the damaging consequences of phishing, baiting or other means are to be avoided.
One of those steps may include more stringent procedures and protocols for employees to use and follow. For example, if an employee receives an email containing numerous links or attachments, the first action should perhaps not be to click or open them. Clarifying that the sender did intend to send that email and that the attachments and links included are legitimate can prevent the majority of security breaches via social engineering schemes. Using a separate line of communication, confirming that the email and its contents are safe may be a tedious but necessary precaution. Also, checking the address of the sender could also be telling, as this can also be an indication of whether the email is harmless or harmful. Such strict and exacting processes may not seem ideal initially, but in the long run, it has the potential to help businesses avoid huge losses. Training and educating employees about social engineering hacks and the potential dangers on the internet will be critical for businesses to survive in with the existence of a pernicious cyber environment.
For individual internet users, having a disciplined approach to using the internet and using technology, in general, can make a difference. Being careful about submitting confidential information, whether that be over the phone, online or in person. It's critical to confirm the identity of the person asking for specific information, and in addition being aware of the proper procedures used for such tasks. IT departments and financial institutions, for example, will almost never ask to give passwords or other confidential information over the phone or even by email. This helps to make the trickery of social engineering easier to spot earlier on.
Overall, internet users of all types should embrace a security-aware culture. In particular, those who engage with the inline world and technology on a frequent basis need to be extra careful about what information they submit and equally what websites they visit and links they click on. Everything they come across should be assessed closely and cautiously. Only when there is absolute assurance that the content being accessed is genuine and safe can one pursue with their internet activities. It may not be particularly convenient to have to take such precautions whenever using the technologies, especially when people have for so long been used to using them without great consideration of their safety or security, but they are necessary. Nothing online can be taken for granted anymore. Education and communications are perhaps the best ways to avoid social engineering attacks. Despite all that could be done, however, humans are perfectly prone to make misjudgements, and thus, by taking advantage of such realities, exploiting this weakness will always be difficult to defend against.