In short, the Big Bad Wolf can turn into your grandmother with a simple mask and if you don't pay attention it may well steal your little pot of butter. The moral of the story? You don't give people confidential information unless you checked their identity first.
social engineering in short
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network.(source)
let's get practical with phishing attacks
Phishing attacks are derived from social engineering: someone will pretend to be a legitimate person and ask for confidential information. If you feel like reading some French, there are plenty of examples on our French security blog (through bills, social networks, pop-ups, etc.) where attackers ask for information that he (or she) will then use to get access to a network.
Something recurring is to use a piece of news to get into a network: what's better than a hurricane when you're pretending to be a humanitarian association?
The general idea is to unmask the attacker as soon as possible and look for every possible hint. For example, if someone asks you for your mobile phone in the streets, will you give him/her right away? I don't think so... Here, it's the same.
Here are some simple advices you'll be able to use everywhere:
- check the identity of the person who's asking for confidential information: what about his/her email for example? Does it look weird? You may want to have a look at your company's internal social network.
- make sure that hyperlinks are ok (for shortened URLs, there are plenty of tools to unshorten them like this one)
- take a look at all the security hints you may find online: does a Website have a "https" for example?
Of course, attackers won't only target "The Big Boss" who has admin rights everywhere... There are other people with limited accesses but they sure can open doors too! So, there's only one real solution: prevention.
We could also talk about tools (such as plug-ins) but nothing's worth prevention right? ;-)
photo credit: © Štěpán Kápl - Fotolia.com
This blog post was originally published in French here.