How to steer clear of social engineering scams

By : Krishna Anindyo | Tuesday, February 18 2020 - 21:06 IWST

From video games to government (Images by
From video games to government (Images by - Technology can do lots of things better than humans can - playing chess, working a factory floor and soon supposedly driving our cars and trucks is just the start of a very long list. But technology, at least so far, can’t trump the human when it comes to protection against cyber attacks.

Bad guys know it - they know that if they can trick, seduce, or scare a human into clicking on a malicious link or giving up personal or corporate credentials, it’s game over - in their favour.

Which is why social engineering is rampant. All you have to do to understand why is watch some videos of the Capture the Flag contest in the Social Engineering Village at DEF CON in Las Vegas every August. The relative ease with which contestants get people to hand over sensitive, proprietary information to callers they’ve never met and don’t know can be funny, but also frightening.

That’s because it doesn’t happen only in contests. It keeps happening in the real world, even though the damage is always painful and sometimes catastrophic.

Phishing, The most common type of social engineering attack is phishing - an email purportedly from a trusted source, designed to manipulate the recipient into revealing sensitive information, clicking a malicious link, or opening a malicious file.

Three high-profile ransomware attacks against three cities in Florida this past summer were all enabled by an employee responding to a phishing email.

The 2019 Verizon Data Breach Incident Report found that phishing was the top cause of data breaches, at 32%, and was a factor in 50% of security incidents last year. Security firm FireEye, in its Q1’19 Email Threat Report, found that phishing attacks rose 17% in the first quarter of this year.

That, of course, is because it works. As Christopher Hadnagy, founder, CEO, and chief human hacker at Social-Engineer, put it,

“Phishing is the easiest because it has the lowest cost and the potential is huge.”

An ominous trend Verizon noted is that phishing attacks are increasingly aimed at C-level executives. These targets tend to be busy and under too much pressure to be wary of any single email within the ongoing flood they receive. They also have approval authority and virtually limitless access privileges.

Vishing, smishing, and gaming, oh my!
But phishing is not the only type of social engineering attack. There’s vishing, or phishing by phone - which is what the contestants at DEF CON do. There’s smishing, in which an attacker tries to get a victim to give up private information via a text or SMS message.

Can social engineering training prevent attacks?
All this raises the obvious question: What are the best ways to help people spot, resist, and report those attacks?

Well, it ain’t easy. If it were, the problem would have been solved long ago. Many very well crafted security awareness programs have been in place for decades. Every major security conference in existence features multiple presentations on how to prevent social engineering attacks.

The reality is that it’s hard. So hard that Travis Biehn, technical strategist at Synopsys, contends that social engineering awareness training has “negligible effects.”

“The only thing that seems to make a difference is constant training - and even then attackers eventually find a weak link,” he said.

Chris Clark, business development manager, senior staff, at Synopsys, said some examples of technology help include

“security capabilities capable of catching these attacks - smart email filters, regional blocking, reactive firewalls paired with content filtering. Attackers are always scooting around, so make sure you have a good mousetrap.”


News Comment

Today's Industry

Ian Hall - Asia-Pacific Client Services Manager, at Synopsys Software Integrity Group

Senin, 26 Oktober 2020 - 11:00 WIB

4 Steps for CISOs to Improve Their Organisation’s Application Security Program

Synopsys recently published its annual BSIMM report, created to help organisations plan, execute, measure, and improve their software security initiatives

Friedhelm Best - Vice President Asia Pacific, HIMA (Photo by HIMA)

Jumat, 23 Oktober 2020 - 14:30 WIB

Farm & Food 4.0: How Technology Is Transforming an Industry

Digitization has affected different industries, and especially now, the food and farming industries as well.

Rena Chua, Bug Bounty Advisor at HackerOne (Photo by Linkedin)

Jumat, 23 Oktober 2020 - 11:35 WIB

3 Key Problems Security Professionals Have With Traditional Penetration Testing

Based on customer interviews, the study identifies 3 key problems with traditional pentesting solutions and evaluates the benefits of time-bound testing using ethical hackers.

The Pacific Asia Travel Association (PATA)

Jumat, 23 Oktober 2020 - 11:20 WIB

PATA Embarks On Governance Reorganisation

The Pacific Asia Travel Association (PATA) has taken the bold move to make significant changes to the design of its organisational governance at the recent Board Meeting and Annual General Meeting…

Yaffa Finkelstein - Product Marketing Manager, Check Point Software Technologies (Photo by Linkedin)

Kamis, 22 Oktober 2020 - 10:35 WIB

Secure Your Containers Like Your Apps Depend On It

Today we’ll share some of the container security concerns which you might not have considered until now, and we’ll explain how to mitigate those risks, without imposing on your agile DevOps…