5 simple ways you can mitigate social cyber threats

Social threats like identity theft, social engineering, phishing, vishing, smishing, scams, cons, doxing and spam emails can be mitigated with security controls to protect you and your business.

You can divide these security controls into two categories. The first is for an individual to adapt their online behaviour. This means altering ones actions to a safer way like not downloading an email attachment.

Behavioural changes depend on people never making mistakes which unfortunately for creatures of habit who grow more forgetful with age; one's ability to recollect goes down and proneness for fallibility increases. What's that old saying? You can show the horse to the water but you can't prevent them from downloading email attachements? Something along those lines. Don't send a horse to protect your IT Infrastructure anyway. They clearly lack the dexterity for it.

The second type of control is using a technical one like sandboxing your email client browser. The Implementation of both behavioural and technical controls to protect us against social threats ensures we're deploying defence in depth. This way we have multi-layered both forms of security controls to protect us.

Here are 5 behavioural changes you can make to protect yourself from these threats.

 

1. If you did not request it, always be suspicous of it.

Do not respond to it. Be immediately suspicious. This includes your emails, sms, telephone calls, messages, things popping up on your screen or messages in messaging apps. Some of the messages you receive can be very enticing and seem legitimate, but if you didn’t request it or weren’t expecting it, consider it suspicious. If you have subscribed to an email list, then you are expecting the emails so it is fine. However, if you suddenly get an email you never requested, then it should immediately be considered suspicious.

 

2. Never download and run any file you don't 100% trust.

Especially not if you've been sent it via a link or via a an attachment from an email you did not expect. All email attachments should be considered suspicous and should be put through some technical controls that we'll detail later, so don't run attachments and files that you don't 100% trust.

 

3. Never enter sensitive information after following a link or pop-up.

Never enter things usernames, passwords or personal information after following a link or pop up. Always, always go to the site by typing the URL into the browser yourself. Infact, these days, companies should nt be sending out links by emails asking you to log in and enter personal information. You will find companies that understand security do not do this anymore, they ask you to go to the site and login without providing a link. They tell their users that they never send out links, because they want to train their users out of receiving links in emails and clicking on their site. So never enter usernames, passwords, oe personal information after following the link. Go to the site yourtself, enter the URL yourself within the browser.

 

4. Validate the link.

If you read How to tell if website is attacking you, you now know how links are manipulated. Check to see if a weblink uses any of the attack types and link manipulation techniques. What is the high level domain?

 

5. Minimise personal information disclosure.

I went over this in How to apply solid defences against social attacks, but in reference to threats posed against you individually, a valid defence would be to minimise personal information you give out online. By doing so, you reduce the risk. You're less of target when you limit how much personal information you disclose and work to preserve your privacy as a result. Minimising your registration and finding alternatives to providing information on registration makes you more secure and lessens your online attack surface.

If hackers don't know you exist and your email, phone numbers and messenger ID's are not available, how can they attack you? Posting email addresses, phone numbers or messenger ID's in forums or anywhere online get gathered by automated scanners. This is how you end up on a hackers hit list for an automatic target of phishing attacks, scams, cons, spam, or whatever else is the latest social attack.

[Reference: Nathan House, Station X]

Huw Tremlett

Data Management Consultant

Huw Tremlett