According to our Chief Innovation Officer at MCSnet, Mark Beland, 90 per cent of all cybersecurity threats are due to Social Engineering.
Social Engineering refers to the manipulation of individuals into performing certain actions or divulging confidential information. It’s a strategy that cyber attackers use to deceive and manipulate users into making security mistakes or giving away sensitive information.
“Cyber attackers are growing more and more sophisticated and are convincing people they are the real deal, when in fact they are masquerading behind an official company name or government agency in order to gain your trust and then steal sensitive information,” says Beland.
MCSnet staff are required to undergo Social Engineering Training to prevent cyber attacks. This is why we will ask for certain pieces of personal information to verify who you are whether you are calling into MCSnet or approaching us with queries online.
“We take cybersecurity very seriously at MCSnet and use a variety of methods to keep our customer information safe, such as not accepting credit card information over the phone, requiring all of our employees’ devices to have two-factor authentication, and continually monitoring our network.”
Social Engineering Attacks Happen in One or More Steps
- Investigation: The attacker gathers information about the intended victim. This can include discovering the names of their children, their birthdates, where they went to school, or other personal information that might be used in subsequent attacks.
- Hook: The attacker attempts to gain the victim’s trust and provide stimuli for subsequent actions that break security practices.
- Play: The attacker exploits the established trust to deceive the victim into performing an action or revealing confidential information.
- Exit: The attacker extracts themselves from the situation, ensuring that they leave no trace or sometimes even positioning the blame on others.
Types of Social Engineering Attacks
This involves tricking individuals into clicking on malicious links or downloading harmful attachments, often through deceptive emails.
The attacker creates a fabricated scenario (or pretext) to obtain information from the victim. For instance, they might pretend they need certain data to confirm the identity of the person they’re speaking to.
Similar to phishing, but promises the victim a benefit to entice them into downloading malicious software. For example, free music or movies that, when downloaded, also install malware on the victim’s computer.
Tailgating or Piggybacking
In this scenario, an attacker seeks entry to a restricted area without proper authentication by following an authenticated user closely behind.
Uses fake surveys to trick people into providing confidential or personal information.
This is voice phishing, where attackers use phone calls to trick individuals into giving away sensitive information.
Protection for Businesses Against Social Engineering
There are a number of ways for rural businesses to keep on alert for social engineering attacks. Follow these tips to keep the hackers away.
Education and Training
One of the most effective defenses against social engineering is awareness. Regularly educating and training employees about the dangers and signs of social engineering can be invaluable.
Always double-check and verify the source before divulging any sensitive information.
Use Multi-Factor Authentication
This ensures that even if someone has stolen credentials, they can’t access an account without another form of verification.
Regular Software Updates
Ensure all systems are up to date with the latest security patches.
Limit Personal Information Sharing Online
The less information about you online, the less data an attacker has to use against you.
Establish Strict Policies
For information sharing and ensure that employees understand the consequences of sharing sensitive data with unauthorized individuals.
Keep Security Software Updated
This includes firewalls, antivirus programs, and anti-spyware tools.
How Rural Internet Users Can Prevent Phishing
Since phishing is one of the most prevalent types of cyber attacks facing rural internet users, we will focus on its prevention. Phishing is a type of cyber attack in which attackers masquerade as trustworthy entities to deceive individuals into providing sensitive information, such as usernames, passwords, credit card numbers, or other personal details. Phishing attacks often come in the form of deceptive emails, instant messages, or fake websites.
Educate Yourself and Others
Be aware of common phishing tactics and signs of phishing emails. If you’re running an organization, conduct regular training sessions for your staff.
Check URLs Carefully
Before entering personal or financial information, make sure the website’s URL is legitimate and starts with “https://” (the ‘s’ stands for secure). Watch out for misspelled domain names or other irregularities.
Don’t Click on Suspicious Links
Be wary of unsolicited emails, especially if they contain hyperlinks or ask for personal information.
Install Anti-Phishing Toolbars
Some browsers offer add-ons or extensions that can identify and block phishing websites.
Use Two-Factor Authentication (2FA)
Even if attackers get your password, 2FA can prevent unauthorized access. It requires an additional step (e.g., a text message code or authentication app) after entering the password.
Regularly Update Software
Ensure your operating system, browser, and other software are up to date. Updates often contain patches for security vulnerabilities that might be exploited by phishers.
Never Provide Personal Information on Request
Legitimate organizations will never ask you to provide or verify sensitive personal information through email. If in doubt, call the organization directly using a phone number from a trustworthy source, not the number provided in the suspicious email.
Install and Update Antivirus Software
Ensure your computer has antivirus software that can detect and block phishing emails and malware.
Desktop firewalls and network firewalls can block malicious attacks and are an essential line of defense.
Be Wary of Pop-Ups
Phishing scams can also be executed via pop-up windows. Never enter personal or financial information into a pop-up, and always close them by clicking the “X” in the upper corner, not any button within the pop-up.
Check Account Statements
Regularly monitor your bank and credit card statements for unauthorized transactions.
Regularly backup important data. If you fall victim to a ransomware attack (which can sometimes follow a phishing attack), having a recent backup can be crucial.
If you come across a suspected phishing attempt or if you believe you’ve been a victim of phishing or social engineering, report it. In Canada, for example, you can report cyber incidents to the Candian Centre for Cybersecurity.
Always remember that the human element can often be the weakest link in security. The key to avoiding cyber attacks is always to be skeptical and cautious. When in doubt, it’s better to take a moment to verify than to risk becoming a victim.