With the wealth of information about business and people available online, it is little wonder that criminals can and do use it for malicious purposes.
These malicious individuals—as well as rival companies and even foreign intelligence agencies—can use information found online to learn more about a target – such as a specific person that could provide a pathway into a corporate network. This method of collecting information is known as reconnaissance and is used for social engineering and phishing attacks.
What is social engineering?
Social Engineering is the subtle art of human manipulation in order to control and change the actions of others. It is a method used by hackers to manipulate people into giving up sensitive information, such as passwords or bank details. These methods are effective as they take advantage of most people’s natural inclination to trust.
Surprisingly, it is a lot easier to trick someone into giving up their password than it is to hack it. You are particularly vulnerable if you:
- Are helpful
- Avoid confrontation
- Like something for free
- Try and be efficient
- Fear repercussions from management
The best defence against social engineering attempts is education.
Common forms of social engineering
Attackers create a fabricated scenario to trick their victims into giving up personal information.
Quid pro quo
A good example of this type of social engineering is a scam where someone claiming to be from a an IT service provider (or similar) calls asking for details. The fraudsters often promise a quick fix to an issue in exchange for the victim disabling their antivirus program and for installing malware on their computers that assumes the guise of software updates.
Criminals often take advantage of people’s inherent desire for free stuff. Baiters will offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Social engineering also employs physical tactics as well as cyber ones – the best example is tailgating. This is where someone who lacks proper security clearance follows an employee into a restricted area.
Where can your information be found?
While there are a range of online platforms where your information could be listed, social media profiles, in particular, leave us exposed to hostile or nefarious acts, as they reveal both personal and professional information that can be exploited and used to plan cyber-attacks, or in some cases physical attacks. Take a look at our blog post on how we test for cyber and physical vulnerabilities.
A hacker’s job is made a lot easier if they have certain details about a network and its users; by using reconnaissance techniques on online profiles, company websites or blogs, the hacker can learn employee job roles, contact details and addresses. For example, with the right information (i.e. a corporate email address) a cybercriminal could launch a spear phishing campaign to gain access to an organisation’s system.
Reducing the risks of social engineering
Review your privacy settings on social media
Ensure that you set the security settings correctly – never have your profile be public—ideally it should be set to friends and family only.
Be careful about what you share
- Never share sensitive information in your posts (even to your friends).
- Posting your phone number, your address or pictures of your workplace should be avoided at all times.
- Make sure that your username does not include any personal information. For example, Rob@Liverpool is a bad choice.
- Keep an eye on what others say about you online too; a friend could post some private information that could give a hacker a way in.
- If using social media for business marketing, your team should avoid posting any sensitive information and should keep a close eye on the profile for any sign of hostile reconnaissance taking place.
Set up a social media specific email address
Set up a separate email account to register and receive email from the site. That way if you want to close down your account/page, you can simply stop using that email account.
Use a strong password
Always use strong passwords that have no relation to any of the content on your online profiles. For more tips on passwords, take a look at our post on password hygiene.
Ensure that you have up-to-date antivirus/antispyware software installed.
If an email conveys a sense of urgency, or uses high-pressure sales tactics, always be sceptical because chances are that a criminal is trying to trick you into giving up your information.
Be aware of your surroundings
On the physical side of things, always be aware of your surroundings. If you don’t recognise someone do not let them into your building, scammers often rely on people being polite (holding doors open etc.)
Research the facts
When receiving an email containing links, do not click on them as they may not be legitimate, and you should always be wary of unsolicited messages. Even if an email looks like it is from a company you use (or have used), do your own research. For example, use a search engine to go to the company’s site, or a phone directory to find their phone number.
Delete any request for financial information or passwords
Any message asking for personal details is a scam.
Can your organisation spot the signs of social engineering?
By educating people on the threats posed by social engineering, the threat can be reduced significantly. Knowing what looks suspicious, what not to click on and keeping sensitive details secure could save an organisation a huge amount of money in the long term.
If you would like to educate your organisation on social engineering and phishing, talk to us about how we can help. Our team of cyber security experts can provide a range of training and services that can help defend your systems, reputation, and bottom line. Contact us to start a discussion: firstname.lastname@example.org or +44 (0) 845 600 4403