Network Security: Social Engineering and Phishing

            Network security has many facets, but perhaps the hardest parts of the system to secure are not the hardware or software, but the users. While people do their best to maintain their security and tend to think they would never be the ones to share their personal or security information, imposters can trick them into revealing information in ways they would not expect. With tactics like social engineering and phishing becoming more prevalent all the time, it's becoming harder to secure systems.

 

Social Engineering

Social engineering is tricking or manipulating a user in order to get information such as login or security information needed to access a system. This tactic is commonly used to get more than system access, though it is seen more and more being used to steal personal and even financial data. Social engineering tactics often use “psychological manipulation to trick users into making security mistakes or giving away sensitive information” (Carnegie Mellon University, n.d.). Perpetrators count on being able to make their victims feel afraid, curious, or even excited to get them to participate in their scheme. This is often seen in banking today with social engineering scams like kidnapping or romance scams. Many victims have fallen prey to threats of family members being hurt or kidnapped if they do not send funds or security information urgently, only to find out their family member has no idea what they are talking about and has been safe all along. Perpetrators utilizing this scam count on victims being too afraid and caught up in the urgency of the situation to stop and verify things with their loved ones. On the other side of the emotional spectrum, victims of romance scams breach their own security by giving access to people they believe they are in love with. These scams involve a perpetrator pretending to be a significant other to gain access to information or money. While people can be vulnerable to various types of manipulation like this, training employees to be on the lookout for scams like these, for example, can make a big difference in system security overall.

 

Phishing

Social engineering often relies on having a target in mind. However, in many cases, perpetrators seeking access to systems do not know who the users are or if the victim they are targeting will have access. So by sending an email with a link that will embed a virus to track every keystroke to get your password, disguising it as a legitimate link, and sending it to thousands of people, for example, you are bound to get a few usable hits. This is an example of phishing. When providing links that look like they could be legitimate companies or websites, but they turn out to be malicious, this is known as phishing. These emails can appear to come from trusted institutions like legitimate businesses or even internal company departments. They usually include logos, formal language, and seemingly genuine email addresses to make the message feel authentic. Once a user clicks on the link or downloads an attachment, malware can be installed, or they may be directed to a fraudulent site where they unknowingly hand over sensitive data. Like social engineering, education and awareness are the best defense against phishing. By training users to recognize suspicious emails, verify sources before clicking links, and report anything unusual, organizations can reduce the chances of a successful phishing attack and strengthen overall cybersecurity.

 

Conclusion

 

In today’s day and age, the most significant vulnerabilities in network security often stem from people rather than technical flaws. Social engineering and phishing schemes prey on emotions and trust, making users the first line of defense; and often the weakest link. By fostering a culture of awareness, continuous training, and caution, individuals and organizations can better protect themselves from these ever evolving threats and contribute to a more secure network overall.

References

Carnegie Mellon University. (n.d.). Social Engineering - Information Security Office –

Computing Services - Carnegie Mellon University. https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html