Dr. Jane LeClair By Dr. Jane LeClair • October 20, 2017

How to Avoid Being Duped by Social Engineering Tricks

We’re only human. But that’s precisely the trait that makes us such an easy mark.

While cybersecurity hardware or software reflexively does what it’s programmed to do, human behavior isn’t nearly as mechanical. This can make us vulnerable to social engineering.

Social engineering is defined as a nontechnical method of intrusion hackers’ use that relies on human interaction. The tactic usually involves tricking individuals into breaking with routine security procedures.

In fact, four out of five of all cyberbreaches reported recently began with some aspect of social engineering and it is one of the greatest threats that organizations encounter today. Often, hackers have refined their techniques in exploiting online interactions to gain access to a company’s sensitive data, critical infrastructure or technological systems.  

So, how can you combat this and ensure your digital safety?

1. Beware of any email with which you are not familiar.

One of the primary ways that social engineers gain entry is for an employee to help them in by simply opening an email that contains malicious code.

2. Think and then act.

Social engineers will often try to contact an employee at an inopportune moment and try to rush them to do something before they have time to think.

3. Categorically reject any request for passwords or personal information.

'Acting' as a figure with authority, a social engineer will attempt to coerce an employee into providing information such as a password or other information that can be leveraged to gain higher access.

4. Do not download a file unless you are sure it is legitimate.

Never download a file unless they are positive it is from someone they know and trust. 

5. Know when to recognize social engineering.

In one example, an employee receives an email from ‘William Bayer’ whom he knows oversees firm’s HR department. ‘William’ informs Frank that his healthcare insurance policy requires all employees to view and accept the terms of the policy before the policy takes effect. It’s also conveyed that failing to do so could cause a loss of benefits. ‘William’ attaches a link for Frank to click on to access the form. Frank innocently clicks on the link and is directed to a bogus site where his computer uploads a virus. Hackers have obtained the name William Bayer from public information and tricked Thomas into possibly giving them access to the organizations’ human resources records based on this information. 

For employers, the best way to counter breaches by social engineering is through employee awareness training. Training should focus on making employees aware of social engineering, how to identify social engineering attempts and what they should do preemptively to forestall such attempts.

No cyberdefense is perfect, but by making it more difficult for hackers to gain entry, we can hopefully persuade them to move on to easier targets.

Dr. Jane LeClair

Written by Dr. Jane LeClair

Dr. Jane LeClair is the president of the Washington Center for Cybersecurity Research and Development, and consults on cybersecurity programming at Thomas Edison State University. She has previously served as the Chief Operating Officer for the National Cybersecurity Institute. Dr. LeClair holds an MS in Cybersecurity and an EdD in Adult Education.

Subscribe to the Thomas Edison State University Blog and get the latest updates delivered straight to your inbox.