How to Avoid Falling for a Social Engineering Attack

A brave writer from Wired wrote about how she fell for a social engineering attack due to what she dubs “an academic vanity honeypot” on Twitter. Virginia Heffernan describes the instance here:

“Yes sirree, Lawrence Henry Summers was just casually DM-ing me, because, well, he’d read an article of mine and found it astute. And now Larry Summers wanted feedback from me on an article of his…

I was a new caliber of flattered; maybe inebriated.”

Her excellent article – seriously, go read it right after you finish this one – is refreshing and sobering and we need more like it. You see, most people who fall for any online scam or social engineering attack hide in shame and keep that news as private as they possibly can for fear of looking foolish.

But the reality is that many, many people fall for these attacks. That’s why attackers keep doing them to get what they want. It works.

No Shame, Just Learning

How can we learn from these mistakes unless we discuss them openly and transparently, without shame? There’s a longstanding trend in our industry to focus on attribution after a breach or hack happens. We want to know who did it. Was it a nation-state attack? Was it just some low-level attacker who bought some cheap, run-of-the-mill ransomware as a service (RaaS) online and got in through the front door by pure luck?

The problem is that the “whodunnit” isn’t really all that important. Sure, if you’re trying to get justice or you’re working with legal authorities, it makes sense to try to chase down who attacked you. But, as an industry, we need to refocus on how the attacks happened. In this case, Heffernan uses a heavy dose of self-deprecation to help teach Wired readers about how (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog