Threats are often categorized into “attacks” and “vectors in the security field.” An attack could be physical, such as a break-in or vandalism. The vector might be hurling something through a window or starting a fight. Attacks can also be digital, hacking into an account using a computer worm (virus) as the vector. One often overlooked and nefarious form of attack is the social engineering attack. Again, these attacks can be physical or digital in nature, and they rely on your employees.

Threat actors use interactions with human beings to carry out malicious acts. The social, interactive element is what makes this attack so dangerous. It can be easy to install a firewall but keeping a level head under pressure might not be easy. In this article, we’ll cover some basic social engineering attacks. We’ll also teach you how to protect your company against them.

There’s an old adage – “Keep it simple, stupid.” It works for security, and it works for criminals. Encryption software is built with complex algorithms that are impossible for a human to crack alone. An encrypted file might as well be junk data on an unauthorized computer. Why spend time breaking through layers of security when a criminal can ask for a password instead? Social engineering attacks are common because they are easy and effective.

There are several sneaky ways “bad guys” use social engineering. Normally the first step is to plan the attack. These are rarely impulsive decisions. An attack may have months or years of prep work behind it. Take Stuxnet, for example. Hackers spent five years on malware development before the first attack. The attack took place by dropping infected USB drives in a parking lot outside of a nuclear processing facility. It was extremely effective.

People might call, send emails, or visit your business during the planning phase. A malicious actor might apply for a job to get inside. They identify low-level employees who have ground-level access and go from there. Once they’re ready to move, they may attack.

While overt examples of an attack are obvious, there are more subtle vectors. Everyone can recognize a brick thrown through a window as aggressive. But would you recognize a person holding two cups of coffee as aggressive? Your employees might not, either. They’ll probably hold the door for him/her to be nice.

People may also look through the trash to gain information, such as records or passwords. You can throw away a lot of sensitive information if you aren’t careful.

Phishing is one of the most common methods of social engineering. An automated email goes out to thousands of people who rightly delete them. However, if somebody clicks a link in that email, their computer may be compromised. If not, they might be contacted by a real person. This person will lie and try to trick the person into divulging funds or information.

Scareware is another classic tactic. An attacker will attempt to trick an employee into believing they have been infected by malware. Then, this person will send them the “solution” for the infection. Without knowing it, the employee will have installed malware after downloading the “solution.”

The most effective attack vector is Spear Phishing or targeted email attack.  This tactic requires reconnaissance and planning.  In this attack, the “bad guy” attempts to piece together a profile of the target from their social media posts.  Individuals do not realize the seemingly innocuous information they post about themselves is like a bonus prize to a hacker.  The more personal information the hacker can collect the more detailed their profile of the target will be.  This allows the hacker to develop emails that the target will open. The problem is not with the email itself; it is with what is attached, embedded, or linked to. The malware downloaded from the email will compromise the user’s computer.  Remember the individual that sent the email is a hacker, so you should consider your whole network compromised.

By training your employees to recognize hazardous behaviors, you can better protect your business. You can also perform penetration tests semi-regularly. For example, try to see if an employee will hold the door for you. If they do, remind them that it isn’t a safe practice after you thank them. These tests will help you learn which tactics work against your employees and expose risks to mitigate.

The internet as we know it has been around for quite a while. While most of the websites that were around before the 2010s have gone offline, some of them are still around. How long have you been on the internet? If you’ve used it for a long time, there’s a chance you have old accounts somewhere out there that are long forgotten, like MySpace, Napster, AOL, etc… Most of these online footprint remnants are bound to be harmless, but they might not paint an accurate picture of who you are now and where you plan to go.

Eventually, somebody is going to look you up online. It might be somebody looking to hire you – And you need to know what’s out there. The amount of things people can find about you online is called your “digital footprint.” We’re going to go over how to manage that footprint.

Auditing your online profiles can be a big job, but it is important.  After all, you may have made profiles on websites you can’t even remember the name of. Creating accounts is such a fast, easy thing; most people have made dozens of them for a wide variety of reasons. Even though these are forgettable, they’re important to manage. You may have forgotten, but the Internet did not.

Check Wikipedia’s list of the most popular websites. If you see any that you recognize or remember using, make a note of it and add it to a list of websites to audit.

Try remembering your old login information and logging in to as many accounts as you can. First, delete the information on any web site’s profile and delete the account itself. Getting into these accounts can be tricky. However, your browser might still have the passwords saved. If not, remember the email you signed up for the account with and search your appropriate inbox. Almost every website with a login prompt has a way for you to recover login info.

Even if you delete old accounts, there may still be images in the images section of Google. The Google Help Center has instructions on how to get an image removed from Google Images. That said, it can be more helpful to create new profiles and upload new pictures that better reflect the image you’d like to convey. By updating new content, Google will favor the new material in its search algorithms. Sharing this content publicly will do more to establish your image than any deletion ever could.

Many websites offer features to hide your profile from search engines. Blogging websites, for example, may allow people to find you by searching for your email address. If this is the case, they are likely also able to disable this feature. Make sure you understand the website’s privacy policy and settings and keep updated with any websites you use. Many services change how they present users over time. This leads to the most important thing…

Once you have deleted old accounts and images and begun cultivating a new presence, you must maintain it. Your new presence should reflect the same image overall services. Please work with the idea of having a digital footprint instead of against it. Make it work for you rather than against you. Repeat these steps every few months and use your presence to expand your network. If you need further advice, don’t be afraid to contact our experts.