16 Best Practices to Prevent Social Engineering Attacks

This article provides actionable steps you can take to protect yourself and prevent social engineering attacks, primarily in the context of IT. It addresses your risk from email, social media, and online financial transactions, why and how you may be targeted.

Are you concerned about how cybercrime and data theft could affect your personal privacy or business operations? Most of us have accepted a certain level of risk in exchange for the conveniences of modern technology. For example, we use email in our personal and professional lives, interact with others on social networking sites (SNS), and conduct online banking transactions and purchases.

Who is targeting you and why? Cyber criminals, nation states, and other nefarious cyber actors conduct social engineering attacks. Their goals may be to obtain personally identifiable information (PII) or intellectual property, commit fraud, or acquire system access by duping unsuspecting users.

How are they targeting you? Attackers use emails, social media, instant messaging and SMS (text messaging) to trick victims into providing sensitive information or visiting malicious URLs in an attempt to compromise their systems.

At times, bad cyber actors specifically target individuals due to their position and access, also known as spear-phishing. Research suggests that one-third of all data breaches include some element of social engineering and that hackers typically impersonate Microsoft, PayPal, and Netflix brands more so than others in phishing attacks.

THE BAD NEWS: Online Social Engineering Attacks Are Increasing and Evolving

While we increasingly rely on the Internet for convenience, attackers are continually honing their cyber attack tradecraft and skills.

Spear-phishing attacks are particularly dangerous because they are designed to get around traditional email security like spam filters. They typically do not include malicious links or attachments, but instead use spoofing techniques and zero-day links combined with a social engineering angle.

For example, research indicates that cyber criminals are increasingly conducting business email compromise (BEC) spear-phishing attacks—also known as CEO fraud—to trick executives into requesting wire transfers or personally identifiable information from enterprise business areas. BEC attacks have caused more than $12.5 billion in losses since 2013.

Social Engineering Attacks Go Beyond Phishing

Phishing is by far the most prevalent type of social engineering attack. However, it is not the only type of online attack. Other types of online social engineering attacks include: ransomware, trojan horses, redirects, spam, malware injections, and watering holes.

Some examples of offline, or physical, social engineering approaches include: requesting access beyond what is necessary for job duties, faking job roles to gain access to computers, tailgating into unauthorized work areas, and vishing (fraudulent phone calls purporting to be from legitimate contacts).

Attackers typically combine the information obtained offline with open source information obtained online. This helps them put together a larger picture of how they can tailor emails to specific individuals within your company with the greatest chances of being clicked on by unsuspecting users.

THE GOOD NEWS: Some Social Engineering Risk Mitigations Overlap

The following 16 recommendations can help prevent you from becoming a victim of social engineering when using email, social media, and banking websites:  

1. Review the entire URL, along with the padlock, before using the website. Confirm that you are using a genuine URL with real domain name and verify authenticity of the website.
2. Think before you click. Don’t accept emails, social media friend requests, or click on attachments you are not familiar with or expecting. Before clicking, hover over links and check where they lead to or manually type in the URL address.
3. Don’t talk to strangers! No matter your position in your organization—executive, office manager, administrator, accountant, etc.—you are a potential social engineering target. Do not share any information (e.g., schedules, names, agendas, email addresses) over the phone, via email, or in-person without confirming the legitimacy of who is asking.
4. Remember to log out/sign out or lock your computer when you are away. Especially if you are using a public computer, such as at the library or an Internet cafe, and close the browser. It’s quick, easy, and may save your account from unwanted trespassers.
5. Keep your operating system and mobile apps for email, social media, and online banking updated. Remember to patch! Make sure that you have the latest version of the platform you are using. This will help stop attacks that you do accidentally click on.
6. Use a password manager and strong passwords. Use upper- and lower-case letters, numbers and special characters, random numbers and letters. Never use your birthday, hometown, school, university, or only one word in the dictionary. Think in terms of phrases rather than words to generate passwords.
7. Enable multi-factor authentication. It adds an extra layer of protection to your email security. Some examples include LastPass or Dashlane. These allow you to generate a random and site unique password with the longest allowable character length. Then, apply two-factor authentication to your password manager account.
8. Enable whole-disk encryption on smartphones, laptops, tablets. This helps protect your information if one of your devices is stolen.
9. Don’t share accounts or passwords. This includes your email, SNS, or online banking passwords.
10. Clear your Internet history. For example, cookies used during your online banking session may not expire for hours, weeks, etc. Several tools and apps can help with this, such as Click and Clean for the Google Chrome web browser.
11. Avoid sending sensitive information over email or posting on SNS. Remember the Internet is permanent. Do not reveal personal information and be suspicious of anyone who asks for your personal information online. Never share your home address, phone number, Social Security number, or other personally identifying information.
12. Close old accounts and apps. Research suggests that fraud conducted via rogue mobile apps exploded by 300 percent in recent months. Don’t risk leaving personal data in old accounts, such as a MySpace page you haven’t used in years or on an online dating site you no longer need. Instead, close the accounts you don’t use and delete as much personal information from them as possible. Do verify your online accounts regularly and check monthly financial statements.
13. Give false answers for password recovery options. Store them in a password manager.
14. Do not enable auto login. Make sure that you don’t have your apps set to automatically log you in and that you don’t have your computer’s browser “remember” your login and password. That way if someone does get access to your devices, they can’t automatically access your online accounts.
15. Never discard intact removable media or computers containing personal information. Physically destroy the media. Shredding CD/DVDs and smashing thumb drives renders them useless to dumpster divers.
16. Avoid using public WiFi connections. If you must do so, use a VPN.

Prevent Social Engineering Attacks by Blending Old and New Security Approaches

These are not the only methods to prevent you from becoming a victim of a social engineering attack. However, they help serve as a starting point or a review for your personal and professional efforts to protect yourself and your organization.

Preventing social engineering attacks includes blending traditional cybersecurity approaches, such as patching and password management, with more current approaches, such as adopting two-factor authentication and closing old accounts and apps that are no longer needed.

Check out our latest tips for protecting your social media privacy here.

Contact GPSG at cyberteam@gpsg.co for a free consultation to enhance your ability to prevent, detect, and mitigate a cybersecurity incident.Disclaimer:

This blog provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.