How to steer clear of social engineering scams

By : Krishna Anindyo | Tuesday, February 18 2020 - 21:06 IWST

From video games to government (Images by Pinterest-avante.biz)
From video games to government (Images by Pinterest-avante.biz)

INDUSTRY.co.id - Technology can do lots of things better than humans can - playing chess, working a factory floor and soon supposedly driving our cars and trucks is just the start of a very long list. But technology, at least so far, can’t trump the human when it comes to protection against cyber attacks.

Bad guys know it - they know that if they can trick, seduce, or scare a human into clicking on a malicious link or giving up personal or corporate credentials, it’s game over - in their favour.

Which is why social engineering is rampant. All you have to do to understand why is watch some videos of the Capture the Flag contest in the Social Engineering Village at DEF CON in Las Vegas every August. The relative ease with which contestants get people to hand over sensitive, proprietary information to callers they’ve never met and don’t know can be funny, but also frightening.

That’s because it doesn’t happen only in contests. It keeps happening in the real world, even though the damage is always painful and sometimes catastrophic.

Phishing, The most common type of social engineering attack is phishing - an email purportedly from a trusted source, designed to manipulate the recipient into revealing sensitive information, clicking a malicious link, or opening a malicious file.

Three high-profile ransomware attacks against three cities in Florida this past summer were all enabled by an employee responding to a phishing email.

The 2019 Verizon Data Breach Incident Report found that phishing was the top cause of data breaches, at 32%, and was a factor in 50% of security incidents last year. Security firm FireEye, in its Q1’19 Email Threat Report, found that phishing attacks rose 17% in the first quarter of this year.

That, of course, is because it works. As Christopher Hadnagy, founder, CEO, and chief human hacker at Social-Engineer, put it,

“Phishing is the easiest because it has the lowest cost and the potential is huge.”

An ominous trend Verizon noted is that phishing attacks are increasingly aimed at C-level executives. These targets tend to be busy and under too much pressure to be wary of any single email within the ongoing flood they receive. They also have approval authority and virtually limitless access privileges.

Vishing, smishing, and gaming, oh my!
But phishing is not the only type of social engineering attack. There’s vishing, or phishing by phone - which is what the contestants at DEF CON do. There’s smishing, in which an attacker tries to get a victim to give up private information via a text or SMS message.

Can social engineering training prevent attacks?
All this raises the obvious question: What are the best ways to help people spot, resist, and report those attacks?

Well, it ain’t easy. If it were, the problem would have been solved long ago. Many very well crafted security awareness programs have been in place for decades. Every major security conference in existence features multiple presentations on how to prevent social engineering attacks.

The reality is that it’s hard. So hard that Travis Biehn, technical strategist at Synopsys, contends that social engineering awareness training has “negligible effects.”

“The only thing that seems to make a difference is constant training - and even then attackers eventually find a weak link,” he said.

Chris Clark, business development manager, senior staff, at Synopsys, said some examples of technology help include

“security capabilities capable of catching these attacks - smart email filters, regional blocking, reactive firewalls paired with content filtering. Attackers are always scooting around, so make sure you have a good mousetrap.”

 

News Comment

Today's Industry

Photo: Aris Nurjani/VOI

Rabu, 28 Februari 2024 - 12:47 WIB

Carsurin and NBRI Strengthen Strategic Alliance to Propel Indonesia’s EV Industry

PT Carsurin Tbk ("Carsurin") and the National Battery Research Institute ("NBRI") are pleased to announce the signing of a pivotal Strategic Alliance Agreement (SAA), marking a significant advancement…

Beras (Foto/Rizki Meirino)

Rabu, 21 Februari 2024 - 08:43 WIB

Gov’t to Continue Disbursing Rice Assistance

President Joko “Jokowi” Widodo has ensured that the Government will continue rolling out the rice assistance program for low-income families. The President made the statement when handing…

Ilustrasi pabrik beras. (Foto: DetikFood)

Rabu, 21 Februari 2024 - 08:40 WIB

Bapanas Head Ensures Availability of Rice Stock Ahead of Ramadan

The National Food Agency (Bapanas) has ensured the availability of rice for the fasting month of Ramadan and Eid al-Fitr 1445 Hijri/2024 CE. “We believe that there is enough rice for the fasting…

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Rabu, 21 Februari 2024 - 08:23 WIB

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Chairman of PT Jababeka Tbk (KIJA), Setyono Djuandi Darmono met the Minister of Youth and Sports of the Republic of Indonesia (Menpora RI) Dito Ariotedjo at the Kemenpora RI Office, Senayan,…

The Indonesian Embassy in Cairo Receives Aid for Palestine

Senin, 19 Februari 2024 - 17:39 WIB

The Indonesian Embassy in Cairo Receives Aid for Palestine

The Indonesian Embassy in Cairo welcomes the Radjiman Wedyodiningrat Warship (RJW-992) which arrived at the Al Arish Port, North Sinai Province of Egypt at 8.00 A.M. Cairo local time (13/02).…