Social Engineering.
By nature, we humans like to be helpful. But that can make us prey to social engineers, who will manipulate us to get what they want – be it personal details, sensitive information, or fraud. Social engineering plays a part in several cyber threats – see the previous articles on Malicious Websites, Social Media, and Phishing.
Simple points to remember:
1. Be alert to potential targeting by social engineers and report any concerns immediately.
2. Never give sensitive information unless you are sure the recipient is who they say they are and has a valid need to know.
3. Think about what you are posting on social media sites and in out of office messages – could these be used by a social engineer?
What is social engineering?
You are going into a building and see someone struggling to carry bags or boxes, so you hold the door open for them to enter without swiping – but are you sure they should be let in, or have you just fallen for a social engineer’s trick? Or you answer a call from a helpdesk engineer, or at home from your bank, asking about a problem on your system or account which you weren’t aware of. Or you receive an email telling you about a parcel or an invoice you weren’t expecting. Any of these could be social engineering – a confidence trick to get you to give away access to facilities (whether buildings or IT systems) or information. Social engineering includes phishing, scams, and impersonation – it’s all about manipulating the victim, as in the BBC television series ‘Hustle’.
Social engineers exploit human psychology. They know that humans are inherently helpful and will feel an obligation to someone who seems to have helped them, or is in a position of authority, or is facing the same sort of problems – like IT that is not working or a boss demanding tough deadlines. They will set up a situation to gain this sense of obligation or sympathy. Social engineers are also good at building a jigsaw from different pieces of information to get a complete picture – so rather than random phishing they might carefully craft an approach.
Clever callers will also trick you into “verifying” their identity by keeping telephone lines open after suggesting you call someone in authority (your bank, perhaps) to verify their identity – it’s all part of the confidence trick.
What is the Risk?
A well-known convicted (now reformed) hacker has claimed that he could usually get sensitive information just by asking for it using social engineering tactics. However good technical security measures are, humans are always the weakest link.
If you give information or access to a social engineer, they can use this to attack you (such as by emptying your bank account or committing identity theft) or to attack your organisation (such as by gaining access to our systems or by tricking you into loading malware). They might also use information from you to make an attack on another individual more convincing – perhaps telephoning your colleague when you are away to get information on a project, they say they are working on with you.
So, what can I do?
Never give sensitive information unless you are sure the recipient has a need to know. Helpdesk engineers will never ask you for passwords, and nor will your bank. Whether at work or at home, ask yourself if a request for information is reasonable. Think twice about responding to discounts or other offers if you don’t know the sender already – these can be methods of harvesting information.
If a caller suggests you confirm their identity by calling a trusted organisation (such as your bank or a helpdesk), then always use a phone number you already have, not one they give you, and if possible, use another phone to prevent them from keeping the line open. If using another phone isn’t possible, then hang up for at least five minutes and then call a friend whose voice you recognise before you call the trusted organisation.
Never insert a USB stick or CD-ROM that you have found into your computer either at work or at home – social engineers exploit our natural curiosity by leaving computer media where they know people will find it.
Think about what information you are giving in out of office messages: are you giving away information about your whereabouts, or your and your colleagues’ work interests?
What are you posting on social media? Is there information which could be used by a social engineer to manipulate you or your friends and colleagues?
Remember that you are personally responsible for securely handling any assets entrusted to you – this includes information. If you have any concerns or think you may have been the target of a potential social engineering attack, then report any concerns immediately to your line manager or Information Security Officer, including loss or possible compromise of information.
Get Safe Online has good advice to help you protect yourself against social engineering, and the Police Action Fraud website has more advice to protect you from identity theft.
Reporting
The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.
© Cybercentry Limited. All rights reserved.
Terms and Conditions Privacy Policy GDPR Statement Modern Slavery Statement Cybercentry Partner Programme