How to Stop a Social Engineering Attack
July 27, 2020 by Becky Metivier
Human beings are trusting by nature, making us vulnerable to social engineers. Here are four simple tricks you can use to defeat a social engineering attack.
#1. Can I call you back?
This simple phrase can stop a social engineering attack over the phone immediately. Most of the time, when asked, the attacker just hangs up. Of course, if they do give you a phone number, be sure to Google the number to ensure it's a legitimate organization before calling back.
This is also a recommended practice for IT help desks at large organizations, where personal knowledge of the staff and voice recognition are nearly impossible. Calling the IT person back provides the required verification before giving them access to your system.
#2 Did I initiate this?
This trick works for stopping both phishing email and phone pre-texting attacks. If you receive an email, ask yourself, "Did I initiate this communication?" If the answer is no, don't click the link or provide any information. If you did initiate the communication, and it's a legitimate company or individual, then you can respond.
For example, you sign up for mobile banking on your bank's website and immediately receive an email to verify your email address. Since you initiated it, it's OK! But, if you get an unsolicited email from your bank saying there is a problem with your account, don't click! Call the bank directly to verify before doing anything.
The same goes for phone calls. If you call the IRS and they ask for your social security number, it's okay to give it to them because you initiated the call. However, if the IRS calls you and asks for your social security number, the answer is, "Can I call you back?" because you didn't initiate the call.
There is no such thing as innocuous information when you're providing information to an unsolicited email or phone call.
#3 Forward Slash, Two Dots Back
It's fairly easy to create a fraudulent web site that has a deceptively similar URL to the real thing. But you can't be tricked by it if you use the formula "Forward Slash, Two Dots Back" to determine the actual URL of the website you are visiting. Getting familiar with this rule protects you from fraudulent constructions of URLs that are put up by fraudsters to deceive you.
It's easy, just go to the first forward slash, count two dots back, and there you find the real URL.
Here are a few real-word examples of fraudulent websites.
www.aa.airlineaamemebers.com/seat/us - At first glance, this appears to be a legitimate site because American Airlines' URL, www.aa.com, is included. However, following the "Forward Slash, Two Dots Back" rule, we see that the actual website is airlineaamemebers.com. Plus, it has a misspelled word – there is an extra "e" in member. This link isn't taking you to the legitimate American Airlines' website.
www.twitter.com.mx/communicate/tweet/current - Again, this seems like a legitimate Twitter link; however, our rule shows the actual domain is com.mx. This link will not take you a legitimate Twitter site.
login.all09.info/www.ebay.com/buyer/seller - In this URL, using www.ebay.com is an attempt to trick you into thinking it's legitimate. But ebay is just a folder name. Using the rule, we can see that all09.info is the actual URL.
www.amazone.com: Misspelling an actual URL domain is a great trick for social engineers.
The trick here is to always be aware of the websites you are visiting.
#4 Am I expecting this?
When you receive an attachment unexpectedly, you should always treat it with suspicion. If your role requires you to open unexpected attachments, it's best practice to scan the attachment with anti-virus software prior to opening it. If your role does not require you to receive unexpected attachments, you should just delete it.
Mindful use of the internet and using these four simple tricks can make you a powerful force against a social engineering attack.