Social Engineering Trends and Prevention

From the social engineer’s perspective the big plus in these types of scenarios is that they (the social engineer) will be able to make multiple mistakes during their enquiries. They will not immediately set off the alarm bells since even the organization’s more experienced employees will automatically jump to false conclusions and assume that this error riddled request is due to the newcomer’s inexperience.

Email Spoofing – Some social engineers will masquerade as an employee such as help desk technicians and immediately proceed to issue emails to bona fide employees using spoofed email accounts that look very similar to the real ones used as standard practice by your organization. There will however be subtle differences that will give them away. The easiest of these is to examine the emails URL.

Suppose your organization uses email accounts that adhere to an account naming convention i.e. name@blogs.com and the email requesting the information from you has an email URL like name@blog.com. In which case you should be hearing those alarm bells again.

It is often through subtle attack principles such as these that social engineering can deliver considerable quantities of information to the attacker including security and sensitive personally identifiable information such as user logon account name and password.

In Summary

Social engineering is really the art of deception designed to fool you into supplying an attacker with various pieces of information that you would not normally disclose.

Many perpetrators of social engineering practices are incredibly skilled at asking questions to extract information while at the same time hiding from discovery their true motives and their desired resultant eventualities that will arise from the situation. They can be very skilled at answering any questions you may ask while divulging very little about themselves throughout the duration of the dialogue between them and you.

They are also generally very adept at crafting and transmitting emails that look to be so authentic that many users will not take the time to examine it closely enough to detect the small yet essential deviations contained within in the email and within its networking information (destination and source addresses for example). The result is that they become duped to divulge privy information to non-authenticated entities.

As a rule of thumb whenever you are being asked questions of a nature that makes you somewhat uncomfortable you should immediately bring the call to the attention of the appropriate authority such as security personal, IT personal, IT and network security personal, your immediate superior or some other higher ranking organizational authority, management or executive.