“Web3 companies can prepare for Social Engineering attacks by ensuring that they implement all the most basic security measures - strong passwords with multi-factor authentication, cold Discord admins (and other good Discord security measures), cold wallets, proper delegation of authority and least privilege, and OS/device based security” - Rick Deacon, Interlock CEO
What is Social Engineering and how does it work?
Social Engineering is a type of cybersecurity attack that relies on human interaction to trick users into revealing confidential information or granting access to systems and data. In the case of the crypto world, this is generally done in order to steal cryptocurrencies. Attackers use a variety of techniques–such as phishing emails, texts, or phone calls–to lure victims into divulging sensitive information or downloading malware. As obvious as it may sound, the best countermeasure against social engineering is educating employees.
Why do cyber attackers commonly use Social Engineering attacks?
Social Engineering attacks are becoming more common and sophisticated. It makes it important for organizations to educate their employees about how to recognize and defend against these threats. In this article, we are going to discuss how to protect against social engineering scams. By creating a Social Engineering policy and providing training on best practices, organizations can help to protect themselves from these attacks.
When it comes to the art of manipulating, influencing and deceiving, there are numerous reasons why hackers and scammers would want to use it. First off, this technique in particular has proven to be extremely effective.
In the Verizon Data Breach Investigations Report (DBIR) for 2022, it was found that 82% of cybersecurity breaches recorded in the DBIR involved the human element. “This puts the person square in the center of the security estate with the Social Engineering pattern capturing many of those human-centric events,” the report said.
The end root is almost always to steal capital (89%), while the rest (11%) is due to espionage.
The most common Social Engineering attacks
There are a few different types of social engineering attacks, but some of the most common include phishing, and pretexting.
Phishing, of course, is the king of these types of scams with over 60% of recorded breaches. Phishing is a type of attack that uses email or other means of communication (such as social media platforms) to trick victims into revealing confidential information or clicking on links that install malware. Attackers will often pose as a legitimate organization or person in an attempt to gain trust and lure victims into divulging sensitive information. Usually, a sens of urgency is imposed.
Pretexting (27%) is another type of Social Engineering attack that uses deception to obtain private information. The attacker will create a false identity or scenario in order to convince the victim to divulge sensitive information. For example, an attacker may pose as a researcher conducting a survey or a bank representative in order to collect personal information from victims. This usually includes some form of dialogue in order to gain the trust of the victim.
How can you protect yourself from Social Engineering?
There are a few different ways to avoid falling victim to a Social Engineering attack and how to detect them:
- Be suspicious of any unsolicited communication, even if it appears to come from a legitimate source.
- If you receive an email from an organization you don’t recognize, do not open it or click on any links.
- If you receive a sketchy call from someone claiming to be from customer service, double-check that is actually from the source they are claiming to represent before you give out any personal information. This could be a questionable or hidden phone number.
- Pay attention to grammatical mistakes in messages.
- Read the provided url links carefully and see if they match the ones provided by companies.
- It’s also important to be aware of what information is publicly available about you and your organization. Attackers can use this information to create more believable phishing emails or pretexts. You can help to protect yourself by ensuring that only necessary information is made public and by using strong passwords for all online accounts.
As another article points out, “phishing uses fear and urgency to their advantage, pretexting relies on building a false sense of trust with the victim.” In a previous article, we also highlighted what you should do if you fall victim to such phishing scams, including how to report an attack.
How to create a Social Engineering policy for your project or organization
Creating a Social Engineering policy for your organization can help to protect against these attacks. Some of the elements that should be included in a Social Engineering policy are:
- A definition of Social Engineering and how it works
- Examples of common attacks
- Information on how to avoid falling victim to an attack
- Procedures for reporting suspicious activity
By including these elements in a Social Engineering policy, organizations can help their employees to better understand and mitigate these threats.
What is the primary countermeasure to Social Engineering?
Education. Social Engineering has managed to run riot, and the only known way to prevent it for sure is to educate yourself and the people in your crypto project or business.
Tips for training employees about Social Engineering threats
There are some methods for understanding and reducing Social Engineering attacks, especially when it comes to the workplace. Some tips on training employees about Social Engineering threats include:
- Educating employees about what Social Engineering is and how attackers use it to target victims.
- Teach employees how to spot red flags that may indicate a Social Engineering attack, such as unexpected requests for confidential information or strange emails purporting to be from a trusted source.
- Encouraging employees to report any suspicious activity to the IT department or security team.
- Providing regular reminders and refresher training on Social Engineering threats.
- There are a number of excellent resources available for further reading on Social Engineering, including some tips from social engineering and cyber security experts.
- Social Engineering is a type of attack that relies on human interaction to trick users into revealing confidential information or granting access to systems and data.
- Attacks can be carried out through various methods, such as phishing emails, phone calls, messages through work messaging apps, and more.
- Invite trained cybersecurity experts to explain what Social Engineering is. Or rather, to make it more fruitful, explain what they need it for; in order to prevent them from being robbed or the company from being hacked. Cybersecurity might seem boring, but trust us, it is better to take the time to prevent than to go through the alarm of being breached. Try to prevent it from happening now.
By creating a Social Engineering policy and providing training on best practices, organizations can help to protect themselves from these attacks, hacks, and scams which can prove to be costly. Remember the mantra: Prevention is better than cure – and less expensive.
Social Engineering and Web3 projects
When it comes to securing Web3 companies, Interlock CEO Rick Deacon had his own say about this. “Web3 companies can prepare for Social Engineering attacks by ensuring that they implement all the most basic security measures - strong passwords with multi-factor authentication, cold Discord admins (and other good Discord security measures), cold wallets, proper delegation of authority and least privilege, and OS/device based security,” Deacon said.
“Examples of good OS/device security are browser protection and anti-malware. Most importantly, they need good methods to protect against phishing.”
Interlock’s browser extension will protect against Social Engineering attacks
You can also use third-party apps and Social Engineering software to protect against Social Engineering attacks (though we recommend not relying entirely on them). At Interlock, we are working on a u-Block-based browser extension that will serve as a Social Engineering toolkit for clone websites and other types of malicious links that you need to be aware of. In essence, it will help to block one of the most popular malware and Social Engineering vectors; phishing attacks.
“Interlock's enterprise browser extension blocks phishing attacks, unwanted websites, and dangerous content. The way it works is by using sandboxing and real-time threat detection to prevent Social Engineering attacks from occurring,” Deacon said.
He also noted that the same enterprise grade product will become available for everyone, “meaning the clients and users of web3 companies can also stay protected in the same manner - but with incentives. Interlock's goal is to secure DeFi and Web3 from the inside out.”
The browser extension would be using the $ILOCK token, and more information as to how it will work for both consumers and enterprises can be found in this link.
As the world becomes more attuned to crypto, it is hard not seeing Social Engineering shift from Web2 into Web3. We must not choose to ignore this and do something to prevent these attacks from happening.