security Avoiding Social Engineering and Phishing Attacks

[Future Sensors]

Social Engineering (Wikipedia.org)

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information.​

Read more:
https://en.wikipedia.org/wiki/Social_engineering_(security)
​

Avoiding Social Engineering and Phishing Attacks (CISA.gov)

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.​

Read more:
https://us-cert.cisa.gov/ncas/tips/ST04-014​

What is social engineering? Definition and Techniques To Watch For (Norton)

Most cybercriminals are master manipulators, but that doesn’t mean they’re all manipulators of technology — some cybercriminals favor the art of human manipulation.​

Read more:
https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html​

Social Engineering (Imperva)

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Read more:
https://www.imperva.com/learn/application-security/social-engineering-attack/​

9 Examples of Social Engineering Attacks (Terranova)

Examples of social engineering range from phishing attacks where victims are tricked into providing confidential information, vishing attacks where an urgent and official sounding voice mail convinces victims to act quickly or suffer severe consequences, or physical tailgating attacks that rely on trust to gain physical access to a building.

Read more:
https://terranovasecurity.com/examples-of-social-engineering-attacks/​

Social Engineering in Cybersecurity: A Domain Ontology and Knowledge Graph Application Examples (research paper)

Social engineering has posed a serious threat to cyberspace security. To protect against social engineering attacks, a fundamental work is to know what constitutes social engineering. This paper first develops a domain ontology of social engineering in cybersecurity and conducts ontology evaluation by its knowledge graph application. The domain ontology defines 11 concepts of core entities that significantly constitute or affect social engineering domain, together with 22 kinds of relations describing how these entities related to each other. It provides a formal and explicit knowledge schema to understand, analyze, reuse and share domain knowledge of social engineering. Furthermore, this paper builds a knowledge graph based on 15 social engineering attack incidents and scenarios.

7 knowledge graph application examples (in 6 analysis patterns) demonstrate that the ontology together with knowledge graph is useful to 1) understand and analyze social engineering attack scenario and incident, 2) find the top ranked social engineering threat elements (e.g. the most exploited human vulnerabilities and most used attack mediums), 3) find potential social engineering threats to victims, 4) find potential targets for social engineering attackers, 5) find potential attack paths from specific attacker to specific target, and 6) analyze the same origin attacks.

Read more (includes PDF download on destination page):
https://cybersecurity.springeropen.com/articles/10.1186/s42400-021-00094-6​

Does Awareness of Social Engineering Make Employees More Secure? (research paper)

Social engineering has become one of the biggest security threats facing organizations. Rather than relying upon information security technical-related shortcomings to break into computer networks, social engineers make use of employees’ individual and organizational traits to deceive them. In such a scenario, it is crucial for organizations to ensure that their employees not only possess sound knowledge about information security but also about the concept of social engineering and threats emerging from social engineering attacks. This study aims to test whether awareness of social engineering can predict and explain individuals’ security-protective practices. We conducted a survey of 265 employees working in different organizations in Saudi Arabia. The results suggest that awareness of social engineering is a positive predictor of security-protective practices above and beyond the predictability power of possessing information security knowledge. Thus, to reduce the probability of potential consequences of social engineering attacks, our study suggests that organizations should not only strive to enhance employees’ security knowledge but should also invest in increasing employees’ awareness of social engineering.

Read more (PDF):
https://www.ijcaonline.org/archives/volume177/number38/aldawood-2020-ijca-919891.pdf​

Protected Voices: Social Engineering (FBI.gov)