GUEST ESSAY: Repelling social engineering attacks requires shoring up the weakest link: humans

By Cynthia Lopez

The problem with social engineering attacks is that they capitalize on the weakest link on any computer or network system: You! Avoiding social engineering attacks requires you to understand what they are and how they work.

Related: Why diversity needs to be part of security training

Social engineering takes advantage of human psychology to attack using deception and manipulation. Hackers know that humans are:

•Easily distracted. They usually don’t check links that they click on in an e-mail if it’s from somebody they trust. It could be an e-mail that looks like it came from their bank, from an online service they use, or even their boss.

Once they see that level of trust, they may unknowingly hand over their passwords or vital company information because they did not bother to verify the link – or sender – before clicking. For instance, an e-mail may come from instead of (the number 1 in place of the letter l).

•Forgetful. Other social engineering attacks do not come via e-mail, but from plain stealing. Many people check their work e-mails and other office-related stuff from their phones. Often, they just save their password. If that device is left in a taxi or other public place, whoever picks up that phone is just a few taps away from learning your company’s secrets.


•Curious. Sometimes, social engineers use the modern-day equivalent of a Trojan horse. They may leave an infected flash disk, and somebody with good intentions picks it up. They might be curious at what’s inside, or they just might want to return it to its owner, so they put it into their computer and the malicious software gets to work.

Templated attacks

The good news is that social engineering attacks usually follow a template or a pattern. To spot them, you must understand how they work and stay informed of new threats and attack methods.

Make it a habit to check the sender’s e-mail address and verify links before clicking them. Also, verify that the website you are visiting is using the HTTPS protocol.

If another person in your company is asking for sensitive files and data, a quick phone call or visit might help clear things up and allows you to make sure that the person is really the one writing the e-mail.

Lastly, if you get a flash drive and you do not know what it is or where it came from, do not put it in your computer.

Company protection

Simple best practices can effectively neutralize most social engineering attacks and strengthen your company’s security posture. Here’s where to start:

•Education and training. Humans are the weakest link when it comes to social engineering attacks, but they can be your biggest security assets. Train your employees on how to spot attempts and also provide them with tools to help them detect the deception.

•Robust rules. Create a set of company policies that would help defeat social engineers. Make sure that you have clear company policies. Install e-mail and spam filters, anti-virus software, and firewalls. Write up a set of acceptable guidelines for e-mail and computer use.

•Check and verify. Monitor accounts regularly to detect if there is abnormal activity coming from an employee.  For instance, if a workstation starts to eat large amounts of data, or if an employee sends out an e-mail when he should not have been able to, then you know there is a problem.

To keep your company’s sensitive data safe from social engineering attacks it is vital to implement best practices and keep your employees informed.

About the essayist: Cynthia Lopez is the managing editor at Watchdog Reviews. She’s been writing about tech-focused topics and trends since 2014.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone