With the wealth of information about business and people available online, it is little wonder that criminals can and do use it for malicious purposes.
These malicious individuals—as well as rival companies and even foreign intelligence agencies—can use information found online to learn more about a target – such as a specific person that could provide a pathway into a corporate network. This method of collecting information is known as reconnaissance and is used for social engineering and phishing attacks.
What is social engineering?
Social Engineering is the subtle art of human manipulation in order to control and change the actions of others. It is a method used by hackers to manipulate people into giving up sensitive information, such as passwords or bank details. These methods are effective as they take advantage of most people’s natural inclination to trust.
Surprisingly, it is a lot easier to trick someone into giving up their password than it is to hack it. You are particularly vulnerable if you:
- Are helpful
- Avoid confrontation
- Like something for free
- Try and be efficient
- Fear repercussions from management
The best defence against social engineering attempts is education.
Common forms of social engineering
Attackers create a fabricated scenario to trick their victims into giving up personal information.
Quid pro quo
A good example of this type of social engineering is a scam where someone claiming to be from a an IT service provider (or similar) calls asking for details. The fraudsters often promise a quick fix to an issue in exchange for the victim disabling their antivirus program and for installing malware on their computers that assumes the guise of software updates.
Criminals often take advantage of people’s inherent desire for free stuff. Baiters will offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Social engineering also employs physical tactics as well as cyber ones - the best example is tailgating. This is where someone who lacks proper security clearance follows an employee into a restricted area.
Where can your information be found?
While there are a range of online platforms where your information could be listed, social media profiles, in particular, leave us exposed to hostile or nefarious acts, as they reveal both personal and professional information that can be exploited and used to plan cyber-attacks, or in some cases physical attacks. Take a look at our blog post on how we test for cyber and physical vulnerabilities.
A hacker’s job is made a lot easier if they have certain details about a network and its users; by using reconnaissance techniques on online profiles, company websites or blogs, the hacker can learn employee job roles, contact details and addresses. For example, with the right information (i.e. a corporate email address) a cybercriminal could launch a spear phishing campaign to gain access to an organisation’s system.
Reducing the risks of social engineering
Review your privacy settings on social media
Ensure that you set the security settings correctly - never have your profile be public—ideally it should be set to friends and family only.
Be careful about what you share
- Never share sensitive information in your posts (even to your friends).
- Posting your phone number, your address or pictures of your workplace should be avoided at all times.
- Make sure that your username does not include any personal information. For example, Rob@Liverpool is a bad choice.
- Keep an eye on what others say about you online too; a friend could post some private information that could give a hacker a way in.
- If using social media for business marketing, your team should avoid posting any sensitive information and should keep a close eye on the profile for any sign of hostile reconnaissance taking place.
Set up a social media specific email address
Set up a separate email account to register and receive email from the site. That way if you want to close down your account/page, you can simply stop using that email account.
Use a strong password
Always use strong passwords that have no relation to any of the content on your online profiles. For more tips on passwords, take a look at our posts on strong passwords and password hygiene.
Ensure that you have up-to-date antivirus/antispyware software installed.
If an email conveys a sense of urgency, or uses high-pressure sales tactics, always be sceptical because chances are that a criminal is trying to trick you into giving up your information.
Be aware of your surroundings
On the physical side of things, always be aware of your surroundings. If you don’t recognise someone do not let them into your building, scammers often rely on people being polite (holding doors open etc.)
Research the facts
When receiving an email containing links, do not click on them as they may not be legitimate, and you should always be wary of unsolicited messages. Even if an email looks like it is from a company you use (or have used), do your own research. For example, use a search engine to go to the company’s site, or a phone directory to find their phone number.
Delete any request for financial information or passwords
Any message asking for personal details is a scam.
By educating people on the threats posed by social engineering, the threat can be reduced significantly. Knowing what looks suspicious, what not to click on and keeping sensitive details secure could save an organisation a huge amount of money in the long term.
Can your organisation spot the signs of social engineering?
If you would like to educate your organisation on social engineering and phishing, talk to us about how we can help. Our team of cyber security experts can provide a range of training and services that can help defend your systems, reputation, and bottom line. Contact us to start a discussion: firstname.lastname@example.org or 44 (0)207 887 2699
Protection Group International believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering strategic vulnerability assessment services and offer a range of senior cyber awareness education to enable you to tackle cyber threats in-house.
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Making ongoing compliance easier for you and your business
GDPR is now in force. Make sure your business meets the necessary requirements, providing assurance for all of your customers and employees.
A full audit of your business to assess the level of your compliance against GDPR requirements.
Become GDPR compliant with minimal work. We will conduct an analysis, review, report and implement any necessary changes to your business.
We will conduct simple security assessments to help you understand and mitigate the potential risks to your business.
Get your business ready to face the cyber challenge.
We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture.
PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS).
Find out more on PCI DSS
Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard.
Find out more on ISO 27001
Understand the threats of phishing and malware to avoid being targeted.
Undertake our phishing vulnerability assessment to reduce your organisation’s risk of attack, by measuring the cyber awareness of your workforce.
PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks.
PGI monitor multiple metrics to identify the types of phishing, generate in-depth analytical reports and provide an informed decision to help improve your organisation’s level of security and awareness.
Prevent attacks, respond to breaches and protect your business.
Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.
Implement this cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate information security commitment to your clients, and attract new business by being recognised as a secure organisation.
Find out more on Cyber Essentials Accreditation
The most effective way to identify how attackers target your organisation’s weaknesses is by evaluating your system, your network security, and reporting on any vulnerabilities that could have an impact on your business.
Find out more on Penetration Testing
If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and will begin the process of detecting and eliminating the threat efficiently.
Find out more on Data Breach Response & Recovery
Data Breach Response & Recovery
We prevent attacks, respond to security breaches, and protect your business
Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and preventing future threats of a breach.
A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion.
Find out more on Digital Forensics
We will identify and minimise the risks, as well as the possibility of future risks to your business.
Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.