The other day, Daniel wrote an article all about identifying social engineering attacks. He talked about what they look like and how they work. But there was one aspect he left out. It was no mistake – he did it on purpose. Why? Because talking about how you can avoid social engineering attacks deserves more space than a paragraph at the end of a longer article.
7 Ways to Prevent Social Engineering Attacks
Social engineering is happening every single day, to both individuals and companies. No one is immune. Not even Solid Systems. Last month a number of our team members were sent emails claiming to come from me. But they knew what to do when that happened. They knew how to identify an attempted social engineering attack, how to report it, and how to avoid falling victim to it.
Here are 7 ways that you, and your teams, can protect your Business against Social Engineering Attacks:
1. Be Careful About What You Put Online
One of the main ways that social engineering attackers learn about you and your business is through the information that they find online. A quick search of your company LinkedIn page, for example, can tell attackers:
- Who works for your company
- What their roles are
- How long they’ve been at the business
- What their email address is
This last one isn’t always obvious. There is often a lot of guessing involved. But if, for example, an attacker sees that your business’ email addresses follow a particular format, like firstname.lastname@example.org, then it’s easy for them to guess your employee’s addresses.
But, while there is a good deal that an attacker could glean just from a company’s LinkedIn page, the real sources for their information come from personal profiles. This is the information that they use to try and connect with you, to make you think that they really are your friend or colleague. It’s the details you posted publicly about your family holiday, about your weekend, about your life. This is the information that will get you to trust them, opening the door for an attack, and it’s these details that you should make sure only your trusted friends and family have access to.
2. Check Emails Carefully
It’s easy for an attacker to send an email that looks like it comes from someone you know. They change the name of the sender, they include a signature that looks legit. But there’s one detail that’s more difficult to fake: the sender’s address.
Take for example that attempted social engineering attack that we experienced. The emails said they were coming from Michael Claxton, but the address itself was a Gmail one, not referencing my name at all.
And that wasn’t the only detail that wasn’t quite right. I don’t usually sign internal emails. This one was signed with my full name and title, but not using our Solid signatures. My team members also know that I would never have to ask them for their WhatsApp numbers – I’d know where to find them if I needed them, and we’re all in a WhatsApp group together in any case.
The point I’m making is this: don’t take emails at face value. If you think there’s something suspicious about a mail, take a moment to look at the finer details, like the address it’s coming from. And if you’re still not sure, or something still seems off about the mail…
3. Follow Up With A Phone Call
If you’ve received an email from someone you know, and it seems a bit suspicious, there is no harm in picking up the phone. Call the person. If they tell you that they did in fact send the mail, then there’s no problem – you can give them the details that they need (with one exception, coming up next in the list).
If, on the other hand, they didn’t send the mail, there are a few steps that you need to take.
- Recheck the email. There’s a big difference between a mail that comes from a random Gmail address, and one that comes from a mailbox you trust.
If the email was sent from a legitimate address, it’s likely that the email address has been compromised. Contact your IT team immediately, and the address owner, immediately.
- Let your colleagues know. If you’ve received a social engineering mail, it’s likely that you’re not the only one. Your teammates may be getting them too, and it’s all too easy for someone to just click a link when they think the sender is trustworthy, or reply without thinking.
4. Never Ever Send Personal Information Over Email
“Why would an attacker target me? It’s not like my details are important or anything.”
I hear this line of thinking far too often. You may think that your WhatsApp number is nothing more than a number, that there’s little an attacker could do with it, but you’d be surprised. Think of all those frustrating cold calls from sales people, for example. And having your number sold to the highest bidder should actually be the least of your concerns. Imagine your personal details being used to dupe others through social engineering.
If you’re asked for a personal detail like your phone or ID number or your personal email address, follow up in another way. Give them the details over a call or, better yet, over a platform like Password.link. And, speaking of passwords, never, ever share your password over email, chat messages, or even phone calls. In fact, it’s best to never share your password at all! Even with someone you trust.
5. Never Respond To An Attacker
It’s a natural response. Once you’ve learned that someone has tried to attack you, you want to attack back. To respond, tell them how futile their efforts have been. To trick them the way that they tricked you.
But when it comes down to it, responding to an attacker is only playing into their hands. It’s giving them more personal information about you or confirming the information they already have.
Often attackers are sending the same message to multiple variations of an address, for example. They might try email@example.com, firstname.lastname@example.org, and email@example.com. They’ll send all of these mails at the same time, hoping that one of them is correct. By responding, you’re confirming which mailbox format your company uses, giving the attacker more information than they had before.
The best way to respond to an attempted attack is to ignore the sender and focus on the problem at hand – ensuring that your teams know about attempted attacks as soon as possible and making sure that your security is intact.
6. Keep Yourself And Your Teams Trained
I cannot say this often enough. The best offense is a good defence. The best way to avoid an attack is to make sure that your teams know how to recognise and respond to one. And the best way to do that is through regular training.
There are tools out there that can help. Microsoft Defender for Office 365 has a feature that I find essential in keeping my teams thinking about social engineering attacks and phishing mails in general. It lets you send out a phishing mail yourself, and gauge how your teams respond. If they click on the links within, it will train them on what they should have done instead.
Mimecast has a similar feature, where it occasionally asks users whether they think the link they clicked was legitimate. It’s a great tool for getting your team members to think about what they’re doing rather than clicking on emails automatically.
7. Work With A Trusted Managed IT Services Provider
I’ll be the first to admit that this final point is a bit of a punt for Solid Systems. But it doesn’t make the point any less relevant. Working with a Managed IT Services provider you trust will see a marked improvement in your company’s email security, data security, and cyber security in general.
When incidents do occur, your teams will have access to the IT support that they need, 24 hours a day, 7 days a week. We can also help you train your teams to ensure that any incidents that do arise are flagged as quickly as possible, and handled as effectively as possible too.
We work with you to implement the latest technologies safely and securely, minimising risk, and seeing you step confidently into the future.