You may think social engineering is all about person-to-person scams with money being the first and only target. In fact, the dangers of social engineering are much broader. Attackers could come at you through a whole host of different ways, and websites often make very tempting targets.
Why websites? Because they can be a rich source of intel that the criminals can exploit. Once they get control and under the hood of your site, it can be like a back-end data bank for them. Customer information, payment details… you name it! If it’s stored on the site, it becomes theirs.
Another thing to remember is that social engineering isn’t just about pulling the wool over your eyes. It’s about expecting you to be too distracted to notice that an attack is even taking place.
That’s why websites are such appealing targets. Being tricked into sending financial information, or authorizing payments, can feel easier to watch out for. Essentially, they’re one or two-step cons and the fraudsters are away with the loot quicksmart. People expect social engineering attacks to hit bank accounts, not websites.
Gaining access to a website’s information is usually a longer-form scam. For example, hackers can start attacking your customers through fraudulent emails — damaging to both your brand and bottom line eventually. The fall-out is not so immediate, but is no less painful — and not just for you. That’s why it’s important to always consider your website a target and to be on your guard.
So, without further delay, let’s delve into the top 5 techniques to protect your website against social engineering.
#1 Keep Private Info Private
Many of the techniques social engineering scammers use are universal in their main tactic. They will pretend to be someone you know or are familiar with, and then trick you into handing over vital info. But, as stated above, because websites don’t often feel like immediate targets, it’s easy to fall prey. Login details just don’t feel as valuable as invoices or credit card numbers, right?
So, to mitigate social engineering attacks on your site, and across the board, you need to limit the amount of information people can gain about you. After all, that’s how they know how to pretend to know you!
Never handing out any sort of personal information is an easy one to remember. But when people are targeting websites specifically, there are other things to consider.
The information you used to register your website’s domain name is a prime case in point. ICANN (Internet Corporation for Assigned Names and Numbers) requires domain registrars to hand over your contact information (such as name, email, address, and phone number) to them. This is then added to the public Whois database, where it can be searched by anyone on the Internet.
The Whois database makes it so much easier for scammers to contact you as fake IT support, or fake security checkers, for example. They have your number, your domain details, and lots more.
So, basic rule number #1: Keep all private info private! And check out free services like WhoisGuard from Namecheap that will keep your Whois domain registration info off-grid.
#2 Enable Spam Filters
If you haven’t already, make your spam filter your new best friend. Emails are still the number one route for attacks. One wrong click on the wrong link or attachment and malicious software can start infecting your website in seconds.
While most email service providers come with spam filters, like Namecheap’s Private Email, enabling the spam feature means you can rest a little easier knowing that any email deemed suspicious is automatically thrown into the spam folder. No fuss, no muss.
If you find that your website’s email service still isn’t up to par by filtering out spam or marking certain emails as suspicious, take a look at your settings. Reputable spam filters use all sorts of information to figure out which emails are spam-worthy. This can range from nefarious files or links, unknown IP addresses, or sender IDs, even message content that gets flagged as fake.
Spam-worthy emails are often marked with warning messages, e.g. “downloading the respective files should be done at your own risk.” Some files with specific extensions are even banned entirely from letting you download them.
There are other ways to protect your email from social engineering, but it’s not just email that puts your website at risk. The site itself could become the trap. Attackers can easily leave links to what appear to be interesting products or competitors within blog comments, for example. As with toxic email links, once you click, the malicious software can go to work. So check out services like Akismet which is specially designed to filter comments across the web.
#3 Protect Your Password
You’ve heard the advice before and there’s a reason for it. Never use the same password on the platforms you log into, especially social media. For more on this topic, check out my colleague Cora Quigley’s article on preventing social engineering across social media.
Perhaps not surprisingly, human error is our greatest vulnerability on the web. That’s why having a strong website account password has been proven to effectively thwart hackers from gaining unauthorized access. Unfortunately, many of us decide that our 12345 password is good enough and we forget about it. Want to test your current password’s power? Try it here.
For those of you who hate remembering multiple passwords for multiple accounts, check out password management programs such as Dashlane or RememBear. Both of these help improve your website’s security and also autofill your user login data on those websites you visit most often.
When a strong password just isn’t enough, consider Two-Factor Authentication for your business. Two-Factor Authentication often involves an additional security device, fingerprinting, or SMS confirmation codes. Namecheap is proud to offer a few options for customers such as U2F (Universal 2nd Factor) service, TOTP (Time-based One-Time Password), and OneTouch (SMS). The best part? They’re all free!
#4 Update Your Software
We know, we know. Software updates can be time-consuming but trust us, they’re 100% worth it.
From website server systems to WordPress plugins, social engineering attacks often take place when your system software, particularly its software patch, is out of date. This is when vulnerabilities are exposed, letting offenders run wild in your system and exploit it.
#5 Be Mindful of Your Digital Footprint
With so much (rightful) talk about our carbon footprint, it’s time to start thinking about another footprint, your digital footprint.
This refers to how you live your life online. Whether that’s oversharing your life on social media without any privacy settings or sending out resumés with your personal information (address, phone number, email), these are all, unfortunately, ways that someone can plan a social engineering attack.
Those who need to keep their online profile reasonably high, like influencers, online marketers, and solopreneurs, should be mindful of how much they share. Think about what information or even images you’re offering up easily though simple methods like Google search — you now have permission to Google yourself and your business without shame. 🙂
However, it’s worth mentioning that many hacking attempts come from information you completely forgot you gave, like that old MySpace or Pinterest account of yours.
Because social engineering attacks are ultimately designed to prey upon your trusting good nature, they can be particularly difficult to avoid.
As frustrating as it is, remember that social engineering attackers are almost always one step ahead. They’ll do whatever it takes to steal information from you.
That’s why it all boils down to self-awareness. When you’re more aware of the types of attacks lurking out there and the basic precautions you need to take, you’ll be far less likely to become their next victim.
Have you been a victim of a socially engineered attack? Tell us what happened in the comments below and feel free to share any tips on how to keep yourself safe.