How to boost your social engineering awareness

Humans are social beings. We can't hide from society and so we can't hide from social engineering. 

Some analysts, commentators, and futurists have wondered whether the often-frightening direction of travel - increasingly-sophisticated cyber crime, deep fakes, and so on - might compel some of us to seek a life off grid. 

But the inherent social nature of human beings makes complete isolation an impractical protective measure. After all, even living off grid requires some degree of digital interaction if you’re to live legally as a recognized citizen of a nation state. 

Then there’s the negative impact of living alone away from the vast digital network that defines the modern world. 

Social isolation isn’t just hard work; it's also a risk factor for early mortality. Social isolation and a lack of societal relationships have been linked with a 26% increased risk of premature death, according to empirical evidence. 

Surely it’s better, then, given our need for social connectedness, to navigate the complexities of the modern world - including the risks associated with social engineering - rather than charting a course to some dark corner where we don’t need to engage with it.

Still, we can do this at the same time as recognizing that societal complexity is growing at an exponential rate. Professions appear and disappear with alarming frequency. Technologies emerge and then become outdated within years. New services quickly become commoditized. And even movies, jokes, and memes can become obsolete in just a few weeks. 

We’re living in a world where a lack of awareness about current affairs can isolate us from everyday social interactions. The fear of being left behind - and therefore being left alone - drives our need to stay abreast of progress.

Thanks to technological advancements, we can now satisfy our craving for information with a few swipes of our fingertips. We follow the news, engage on social networks, watch and listen to various media, and even share our emotional reactions such as rage and pity. 

All of it in the moment, as it happens. 

But it’s perhaps unsurprising that behaving this way can result in a constant state of information overload and even stress.

This is important when viewed through the prism of cybersecurity too, because information overload and short dopamine cycles impair our critical thinking and decision-making. And as a result we can become more susceptible to misinformation and social engineering attacks. 

So, while social networks offer us an easy way to connect, talk, and share with one another, they also pose an additional risk for scams to succeed.

Information hygiene can be maintained by carefully choosing the sources you read and by limiting the information flow. Make sure you rest properly to enhance your cognitive functions and critical thinking skills. If possible, limit the number of devices and information channels you use to minimise your potential exposure to social engineering attacks.

The first step in maintaining information hygiene is to reduce information overload. And one way of achieving this is by limiting constant news consumption on your smartphone and reducing social network usage. 

OK, we know what you’re thinking. The idea of reducing social network usage might sound almost as extreme as embracing a life off grid. But the negative impact of high levels of social media usage on information hygiene is undeniable.

As with almost everything in the digital world, it’s about finding the right balance.

After all, changing habits can be challenging because it often necessitates significant alterations to your lifestyle and, by extension, your personality. 

Imagine you decided to train for a marathon. You’d need to modify your diet, exercise, and sleeping habits. You’d essentially be aligning all of your activities with a singular goal. Achieving such a transformation isn’t easy.

But there is help available. Popular phone operating systems offer built-in features to monitor screen time. You could use this data to review your social network usage on a weekly basis. From there, you might decide to set a maximum screen time limit that is realistic and works for you.

Some people are even committing to specific 'digital detox' rituals with a partner, friend, or loved one. They might meet for phone-free lunches or even take a week-long vacation without TV, phones, and laptops.

This advice is scientifically grounded, and following it should enhance your vigilance, thereby increasing your social engineering awareness skills.

There is a caveat, though. Even those who are well versed when it comes to the nature of social engineering attacks aren’t immune to falling for scams. In some cases, confidence can actually result in a false sense of security, making people more vulnerable to attacks.

The underlying reason, once again, is straightforward: we are emotional beings. Emotions are a common vector for exploitation in social engineering attacks. And it’s unrealistic to think we can guard against emotional exploitation completely as this would mean severing our emotional responses altogether.

Still, gaining awareness of impulsive feelings and reactions and learning how to control impulses can provide us with a degree of protection. Some people swear by the benefits of regular mindfulness practice to help them be more present and aware of what is happening around them.

The following advice might seem a little extreme, but it’s important to keep in mind that some of us are more anxious than others about the dangers of the digital world. And so for some people an action plan that they can refer to when faced with potential scams is required.

It’s a fact that day-to-day training exercises, akin to fire drills, can prepare us for emergencies. Despite our self-perception as rational beings, we often act impulsively or behave irrationally in critical situations - a notion for which Daniel Kahneman won a Nobel Prize in his System 1/System 2 theory.      

A prepared, preemptive action plan can therefore be invaluable in emotionally-charged or high-stress situations, making it easier for you to stick to a rational course of action.

So, how might this work in practice? 

Imagine you receive a seemingly urgent phone call, text message, or email, and your reaction, subconsciously encouraged by a decade or more of instant online behavior, is to respond immediately. It might be helpful to leave a little note somewhere that is easy to find (on your fridge, perhaps) reminding you to take a breath in such a scenario. 

The note might remind you that if an urgent phone call makes you suspicious, you can always hang up and call the organization yourself to verify the legitimacy of the request.

The same is true of the urgent text or email. You can call the company or visit their website and try to get an answer there. Often scammers will include a malicious link in a text or email, hoping that you might click on it without thinking. So, be very careful and see if you can access the link yourself from the company’s website. 

A basic checklist can help protect you from attacks that seek to exploit a sense of urgency, fear, or anxiety.

Stop for a second and think: who will benefit from this request, and how? What actions do I need to take? Why do I need to take them at all?

Consult with others: validate your thoughts with a friend or loved one. Two minds are often better than one, and teams actually make you smarter.

Verify the information: do a Google search, call the company, email them, or even visit their physical store in person and talk with somebody there. It’s far more difficult for a social engineer to impersonate an employee in person.

It’s important to note here that you can just as easily be targeted by social engineering scams at the office as you can be at home. 

We recently wrote an article about some common workplace cultural norms that can make it more likely that social engineering attacks succeed. Please take a read so you’re aware of some common pitfalls to avoid. 

And remember that though it might not feel like it sometimes, in reality there are only a few types of jobs that truly require immediate action. They include those in the medical profession, the army, the police, and firefighting. Each of these have secure protocols for immediate action which are well regulated. Chances are that you don’t work in one of these professions and the requests you receive aren’t quite as urgent as they might appear to be in the moment. So, try to act rationally rather than impulsively. 

By spreading social engineering awareness you can also help others to stay protected. As with physical crimes, a well-informed and vigilant community can be a crucial deterrent - particularly in stopping mass attacks.

You could set up training sessions for friends and relatives who might be less knowledgeable about the threats that lurk in the digital world. Even if you are tech-savvy and well-versed in social engineering tactics, many around you may not be. 

If you feel able to do so, you might engage with elderly people in your community, helping them to recognize the risks more readily and providing them with basic training.

The principles of protection against social engineering attacks are simple. Follow them and you can help to make the digital world a little bit safer: