How to prevent social engineering attacks
I’ve written a lot about different types of social engineering attacks and why we fall for them. But it’s not all bad news. We can do something to prevent them or protect ourselves from them.
Prevention and protection can be implemented by using layers of defence. Each layer helps reduce the chance that a socially engineered attack will be successful.
Layer 1 – Automatic defences
- Ensure that your route firewall firmware is up-to-date. If you don’t know how to do this, talk with your IT support people or your Internet Service Provider.
- Make sure that your firewall, anti-virus, anti-malware and anti-spam software on your computers, tablets and phones are up-to-date. Make sure automatic updates are turned on so that you’ll get the latest updates as soon as they are issued.
- Connect your printers to your router using the Ethernet connection and turn off wireless access.
- Turn on multi-factor authentication for websites that you log in to, especially if you will be accessing sensitive data like bank and credit card details.
Layer 2 – Software
- Be familiar with how your anti-virus and anti-spam software works. Sometimes this software can be “tuned” to produce better results, especially if it is ignoring malicious emails or marking safe emails as malicious.
- Check emails that have a link to a login page carefully. For example, if you are a Sky user, you might get a Sky phishing email that takes you to a fake login page. Ask yourself, does this company usually have a link to a login page?
Layer 3 – Education
- There’s research to show that just warning people with leaflets, posters, etc. doesn’t work. In fact, it could have the opposite effect (why? I don’t know).
- If you have employees then awareness training has shown some positive results. However, this training has to be ongoing as we tend to revert to old habits a short time after a one-off training session. If you want to set up an ongoing training course, please get in touch as I have a business contact who provides this training for a very low cost.
Layer 4 – Personal awareness
- Don’t click on links unless you are absolutely sure they are safe. If in doubt, type in the address that you know into your browser.
- Don’t open attachments unless you are absolutely sure they’re safe. Anti-virus software will catch most unsafe attachments, but some – especially Microsoft Office documents that try to run a script – can still slip through. If you open an attachment that then asks to run a script, say no.
- Use a password manager. Password managers allow you to have a unique password for every website that you log on to. They work by associating your login credentials with a particular web page. I’ve seen occasions where a password manager has spotted a phishing site because the web page address didn’t match the one that it knew. I’ve written a blog post about keeping your password safe and there’s more about password managers there.
- If in doubt, ask someone. An accounts assistant working for one of my clients did just this when she received a fake demand for payment and saved my client a quarter of a million pounds.
- If you are still in doubt, delete it. If it was genuine and important, the sender will get back to you.
This is known as vishing.
- Ask yourself, is the person on the other end who they say they really are? If you are unsure, get their name and call them back – not on the number that they give you, but on one publicly available (use Google!).
- Don’t respond to automated calls. I once had an automated call claiming to be my credit card wanting to check about a recent payment. I hung up and phoned their customer care line. It turned out that this was a genuine call as the credit card company suspected fraud. However, it’s not difficult to set up a fraudulent automated system to do this.
- This is where multiple requests are made for different information which, on their own seem harmless, but when combined can be used for further attacks.
Do you want to learn more?
Network Midlands runs seminars to help you detect and defeat social engineering attacks. Find out more at “The Art of Deception“.