We call social engineering, the deception art. It is, simply, capturing information by deceiving/manipulating the target person. There are several ways to do this. For example, a fake message that you have sent to someone to hack his/her email is a simple way of social engineering, or an email or SMS saying, You have earned $500 constantly, is meant to deceive you.
News about celebrities, for instance, attracts more attention than other news. They often appeal to wider masses, mostly fans and followers, and attract media. Media organizations have to rely on sensational and exaggerated news to attract public attention. The more incredible the title, the more readers gather to read the news. When someone clicks on news links with interesting titles that promise incredible and scandalous disclosures, these links often lead to specially designed malicious sites that take advantage of fake news about the celebrity. Similar to many fraudulent numbers, these sites contain malware, or victims are directed to a survey or advertising sites.
Millions of people surf social networking sites every day. For this reason, it is not surprising that social network/media phishing, a form of misleading social media platform that uses certain features, has become widespread. This can be done using new social media features with applications installed on your systems that often take over your account, steal personal information, or direct you to malicious pages. In these cases, you need to be careful about links that ask you to download a feature or application.
Trust is a great source of motivation. That’s why social engineers sometimes use a language that creates a sense of trust to lead you to fulfill their request, such as to give away your personal information or money. You will not see anything suspicious, as messages (through email, SMS, or phone calls) can seem to come from government officials or legitimate business managers in the form of urgent warnings, usually requiring immediate action on the system or financial security. This kind of message creates a sense of trust, where you think that you have to do what the officials have demanded in order to get rid of this menacing situation. However, one must keep in mind that an official, or someone legal, never demands personal information on the phone, or via email messages. Therefore, no matter how frightening their tactics are, they do not lead to huge damage under normal conditions unless you surrender. You must be careful with scary email topics and contents that ask you to do something, otherwise awful consequences arise.
New Year’s day or other holidays are celebrated by many people around the world and will always be the favorite bait of social engineers. You can see suspicious spam and social media shots that propose incredible offers during holidays. The links in them are never connected to free products or great discounts, but to websites that host malware. You should keep in mind that very good online offers in all likelihood are fake.
Social engineers, using some programs, can call from any phone number. For example, they can make a call as if it is the number of a bank you know, or they can even imitate services such as 911. The social engineers exploit individuals trusting tendency and easily trick people into giving away their money. The most reasonable solution to keep in mind is that official authorities will never make a statement requesting a password or credit card information.
As we explained, social engineers use various tools and techniques to manipulate target individuals. Phishing, vishing, smishing, and the other kinds of attack tools are grouped in various forms, and social engineers use different scenarios and new attack techniques day by day, because this method provides great financial gain and higher success rates.
Phishing attacks are the most common and most dangerous security problems that both people and companies encounter during the course of information security.
Measures can be taken in light of the following suggestions against different kinds of social engineering attacks:
- Phishing attacks do not just happen by email! Cybercriminals can initiate phishing attacks via phone calls, text messages, or other online applications. If you do not know the sender or the caller, or if the message content seems too good to be true, this is probably a social engineering scheme.
- Be aware of the signs. If you have an email that contains spelling or grammar mistakes, and if there is an urgent request or a proposal that looks good at incredible levels, you should immediately delete the message.
- Confirm the sender. Do the necessary checks to make sure the email address of the sender is legitimate. If you have taken a call from a legitimate enterprise that is demanding personal information, you should turn off the phone and contact their official by yourself, to verify their call.
- Do not be fooled by message content that seems real! Phishing emails often have convincing logos, real links, legitimate phone numbers, and email signatures of real employees. But if the message urges you to act (especially actions such as sending sensitive information, clicking on a link, or downloading a response), be careful and look for other signs of phishing. Do not hesitate to communicate directly with the company the message comes from because these companies can verify the authenticity of the message and at the same time they may not even be aware that their company name is being used for fraud.
- Never share your passwords. Your passwords are the key to your identity, your data, and even to your friends and colleagues. Never share your password with anybody. Corporations and company IT departments you work with never demand your password from you.
- Avoid opening links and attachments of unknown senders. Avoid clicking unauthenticated email links or attachments. Suspicious connections can carry ransomware (such as CryptoLocker or a Trojan). Get into the habit of writing URLs to your browser. Do not open attachments unless you expect a file. If a suspicious message comes, call the sender and verify the email.
- Do not talk to strangers: If you receive a call from someone you do not know, and you are asked to provide information, turn off your phone and notify the authorities.
- Watch out for abandoned flash memory. Cybercriminals can drop flash drives to attract their victims, so someone who finds it can install harmful software on their computers without knowing it. If you find a derelict flash drive, do not plug it into a computer, even if it’s for finding the real owner of the flash memory because it could be a trap.
- Delete the suspicious email. Incoming messages from unverified sources that are difficult to verify are likely to be malicious. If you are in doubt, conduct activities such as reaching the alleged source by telephone or communicating using a known and generic email address to verify the authenticity of the message.
- Use email filtering options when possible. Email or spam filtering can prevent a malicious message from reaching your inbox.
- Install and update antivirus software. Scan your operating system with the latest antivirus software to take the necessary measures against malicious software.
- Update all devices, software, and add-ons regularly. To reduce risks to your computer, check your operating system, software, and plug-in updates frequently, or set up automatic updates if possible.
- Back up your files. Frequently back up files on your computer, laptop, or mobile device so that you can easily restore your files when your files are compromised by malicious software. This way, you will not have to give a ransom to a cybercriminal who locks your files and asks for money to open them.
- Train your employees. More than 90% of system breaches have been caused by a phishing attack. Therefore, training employees on cybersecurity best practices is the most effective way to prevent phishing attacks.