DEV Community

Cover image for Protect Yourself from Social Engineering

Protect Yourself from Social Engineering

Kat Maddox on April 06, 2019

As developers, we're a prime target for social engineering scams. Hacking people is much easier than hacking infrastructures, and developers have a...
Collapse
 
anortef profile image
Adrián Norte

I have a simple rule: Does this account have any way to get to my money? if yes, apply 2FA.

I feel that in 2019 services like Google or Microsoft, that have a payment method attached to it and more or less are our digital identity holders, should encourage 2FA to the point of rewarding it.

Collapse
 
yaser profile image
Yaser Al-Najjar

Just on point 👌

Being an ex-hacker myself, I would say that my job would require 70% of social engineering skills, and the rest is tech skills.

Aside from that, the likelihood of performing any attack (esp. on a big company) with only tech skills is just soooooo low.

Collapse
 
osde8info profile image
Clive Da

"... as a ..." really ! how many non ex hackers do you know ? be careful this is a phishy question :)

Collapse
 
jeromescuggs profile image
andrew snow

a friend of mine bugged me to chip in on a kickstarter for an open-source yubikey alternative, and it has turned out to be one of the best purchases i've ever made. no longer am i held hostage to the whims of my own stupidity when it comes to poor infosec - though i suppose i might change my opinion if i ever happen to wake up after a particularly celebratory night to discover i lost my keys and keychain :P

it works very well for me as i am not a very organized person, and i think maintaining a centralized password app requires a degree of discipline. alongside that is my personal experience with dashlane - which might rival firefox's "allow notifications?" as one of the most downright annoying things i've ever had to put up with on a desktop. like alot of folks i know, i keep my keys - and my usb 2fa - on a caribiner, so (knock on wood) it's pretty convenient on top of the physical layer of security it provides. despite it not being widely accepted yet, it does work with google, and that's all i need to access alot of my services thanks to SSO logins and whatnot.

Collapse
 
ctrlshifti profile image
Kat Maddox

Oh nice, the Yubikey is awesome! I really want one but honestly, I'm ditsy AF sometimes and would probably lose it.

Collapse
 
rhymes profile image
rhymes

that's why you should get two :D one that travels with you and one in a safe place at home

Collapse
 
crimsonmed profile image
Médéric Burlet

Loved this post, congratulations! However I think there is maybe a small paragraph missing about in person social engineering. Many companies have been compromised in the past by having a hacker simply pose as a janitor and access a terminal in the company or simply see the logins written on post-it notes on the screen.

Collapse
 
ctrlshifti profile image
Kat Maddox

Good point! Thanks for the comment. May update the article later to write a bit on that.

Collapse
 
crimsonmed profile image
Médéric Burlet

Looking forward to it! Keep up the good work I need to find the time to write more articles on security as well.

Collapse
 
techspence profile image
Spencer Alessi

I love made up words! Another really great post. I have not heard of CUPP before i'm going to have to check that out! I'm always curious about phishing email trends. I always encourage people, no matter what their job is, to share with the IT/Security team the common themes or trends they are seeing. Trying to keep an open communication channel is so important for spotting, detecting, mitigating and preventing phishing.

Collapse
 
ctrlshifti profile image
Kat Maddox

Thanks for your comment Spencer! And you're absolutely right. Earlier this year I worked for a company here in Australia that's known for having a great security culture. They have multiple teams dedicated to educating employees within the company on security trends, especially phishing, and they always encourage employees to send fishy looking stuff to these teams. It works really well.

Collapse
 
nightsquid7 profile image
Nightsquid7

Sweet post! Your website looks cool too, gonna check out the articles later. I'd like to scan my network, but not sure where to start. Any advice?

Collapse
 
ctrlshifti profile image
Kat Maddox

Awesome question! If you're cool waiting about a week I can make my next post on that?

Collapse
 
nightsquid7 profile image
Nightsquid7

Wow that'd be sweet, I'll look out for it!

Thread Thread
 
ctrlshifti profile image
Kat Maddox
Thread Thread
 
nightsquid7 profile image
Nightsquid7

Wonderful, I’ll check it out. Thanks!!

Collapse
 
jlouzado profile image
Joel Louzado

So interesting, love this article. People need to realize that the reason most scam mails are poorly written is because they're very smartly targeted at a particular demographic.

Once the scammers come for you, they're going to put as much effort into tailoring the messaging for you!

Btw maybe you could also mention using a Password Manager? Solves the issue of leaking pet names and private information etc.

Collapse
 
ctrlshifti profile image
Kat Maddox

Thanks for your comment! :))

I did mention password managers in the automation section. Personally, I love them, but I didn't want to make it a key focus because a lot of people work for companies where password managers aren't allowed (which I think is stupid, but that's another issue entirely).

Collapse
 
qcgm1978 profile image
Youth

I come to live rather than keep careful.

Collapse
 
steelwolf180 profile image
Max Ong Zong Bao

Vishing? I had never heard of the term? I thought the actual term was phreaking.