What is a social engineering attack?
Social engineering is the term used for a range of malicious activities that are carried out through human interactions. These are conducted by psychologically manipulating users in ways that result in the perpetrator gaining access to sensitive data from, for example, CCTV/Access control or even building management systems that they should not be privy to.
What makes social engineering attacks especially dangerous is that they rely on human error, rather than vulnerabilities in software and operating systems which makes them less predictable, in which case regular training can help your team identify threats and protect themselves and your building. 5 common examples of social engineering attacks and how to avoid them:
1. Phishing –
Phishing is the most common social engineering attack types, phishing scams can be via email or text campaigns targeted to create a sense of urgency, curiosity or worry in victims which then manipulates these emotions into providing sensitive information.
This is the most common kind of phishing scam, especially for property manager as data is collected daily, whether through building systems or PII (personally identifiable information). This kind of sensitive information is valuable to a hacker as it can lead to fraud, identity theft or even your buildings data taken for ransom.
In 2021, Tessian research found that employees receive an average of 14 malicious emails per year, it isn’t always possible to prevent these scams ending up in your inbox, but you can look out for the following to help identify a phishing email and avoid your sensitive information being compromised:
· Bad Grammar
· Out of the ordinary requests usually with an urgent connotation
· Messages from random companies
· HTTP URL over a HTTPS – HTTP is not secure; HTTPS is a secure protocol which uses SSL certificate to endure authentication
2. Tailgating –
Tailgating occurs when a threat actor enters a secured building by following authorised personnel. This tends to happen when the legitimate staff assumes the person behind is allowed entrance and will then hold the door open for them.
When this happens, a secure access point in your building loses its security and the building, occupants and equipment are then put at risk but, here are a few ways to prevent tailgating from happening:
· Implementing managed or hosted Access control systems
· Installing CCTV systems
· Staff and Visitor ID badges
· Staff education and policy
3. Spear phishing –
Spear phishing is a way of obtaining information through deceptive, more personalized e-mail messages and social engineering that is finely tailored to the target. Spear phishing has become more advanced and common as it is an effective method for targeting several industries.
A hacker for example could target you and your building by personalising an email directly towards you or a specific individual who has authority to provide specific and sensitive data, pretending to be someone you know or a person of importance to gain access to your building management systems.
How can you decrease the risk of being compromised by a spear phishing attack?
· Check the senders email address
· If you’re unsure don’t click on any links or provide any sensitive information before speaking to your security team
· Regular employee training
· Keep systems updates with latest security patches and anti-phishing protection
· If in doubt call your IT Security company for help
4. Scareware –
Scareware is a form of malware which uses social engineering to cause shock or the perception of threat in order to manipulate users into buying/downloading fake software disguised as real cybersecurity protection.
As an example, the scammer can target you with fear tactic to convince you that your building management systems have already been compromised and your data has been corrupted through a barrage of security breach notification appearing on your screen.
Once they have installed the fear they will then pose as a cyber security professional to persuade you to implement a fake security software which will then infect your system.
Staying informed and following these tips can help to spot scareware attacks early:
· Never click malware popups
· Always use genuine antivirus software
· Keep your browser updated
· Use the full range of network tools e.g. ad blockers URL filters and firewalls
· If in doubt call your IT Security company for help
5. Baiting –
Baiting attacks use a false promise to entice a victims greed or curiosity. The attacker can lure you in a trap where they can steal your buildings sensitive data via hardware or inflict your whole building systems with malware.
The most common baiting technique uses physical media to disperse malware for example they could leave a malware infected flash drive in a non-suspicious area e.g. Elevators, bathrooms, restaurants, canteens or the building carpark. They tend to make it look authentic by adding a relevant logo or a label e.g. 'CCTV Footage’.suspicious area e.g. Elevators, bathrooms, restaurants, canteens or the building carpark. They tend to make it look authentic by adding a relevant logo or a label e.g. 'CCTV Footage’.
Baiting frauds have gotten more advanced over time and now can be seen in online forms such as enticing ads that lead to malicious sites or that encourage a user to download a malware-infected application.
Here are some ways to avoid a baiting attack:
· Avoid using any suspicious looking physical media – send straight to your IT security team
· Look sceptically at any too good offer – if an offer seems too good to be true 9 times out of 10 it is. If in doubt reach out to your IT security team.
· Implement antivirus, antimalware, intrusion detection systems in all computers
· Network security. Have a multi layered approach to network security and implement Zero Trust where possible.
As we mentioned earlier, social engineering plays heavily on human error, therefore, the most effective social engineering attack prevention method is education. By conducting regular cyber security training with your team, it can help reduce the risk massively.
Our expert IT security team here at Total IT offer a range of smart security solutions that can help protect you and your buildings systems.
We also offer security awareness training which has been proven to help users become more aware of potential IT security risks and ways to prevent compromising any data. This includes simulation phishing emails to train your users to become more alert and recognise social engineering attacks before a real-life attack can occur.
For more information on how Total IT can help you and your building book your free IT Security consultation below.