What is Social Engineering?
How your online profiles can be used against you.
With the wealth of information about business and people available online, it is little wonder that criminals can and do use it for malicious purposes.
These malicious individuals—as well as rival companies and even foreign intelligence agencies—can use information found online to learn more about a target – such as a specific person that could provide a pathway into a corporate network. This method of collecting information is known as reconnaissance and is used for social engineering and phishing attacks.
Social Engineering is the subtle art of human manipulation in order to control and change the actions of others. It is a method used by hackers to manipulate people into giving up sensitive information, such as passwords or bank details. These methods are effective as they take advantage of most people’s natural inclination to trust.
Surprisingly, it is a lot easier to trick someone into giving up their password than it is to hack it. You are particularly vulnerable if you:
The best defence against social engineering attempts is education.
Attackers create a fabricated scenario to trick their victims into giving up personal information.
Quid pro quo
A good example of this type of social engineering is a scam where someone claiming to be from a an IT service provider (or similar) calls asking for details. The fraudsters often promise a quick fix to an issue in exchange for the victim disabling their antivirus program and for installing malware on their computers that assumes the guise of software updates.
Criminals often take advantage of people’s inherent desire for free stuff. Baiters will offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Social engineering also employs physical tactics as well as cyber ones – the best example is tailgating. This is where someone who lacks proper security clearance follows an employee into a restricted area.
While there are a range of online platforms where your information could be listed, social media profiles, in particular, leave us exposed to hostile or nefarious acts, as they reveal both personal and professional information that can be exploited and used to plan cyber-attacks, or in some cases physical attacks. Take a look at our blog post on how we test for cyber and physical vulnerabilities.
A hacker’s job is made a lot easier if they have certain details about a network and its users; by using reconnaissance techniques on online profiles, company websites or blogs, the hacker can learn employee job roles, contact details and addresses. For example, with the right information (i.e. a corporate email address) a cybercriminal could launch a spear phishing campaign to gain access to an organisation’s system.
Review your privacy settings on social media
Ensure that you set the security settings correctly—never have your profile be public—ideally it should be set to friends and family only.
Be careful about what you share
Set up a social media specific email address
Set up a separate email account to register and receive email from the site. That way if you want to close down your account/page, you can simply stop using that email account.
Use a strong password
Always use strong passwords that have no relation to any of the content on your online profiles. For more tips on passwords, take a look at our post on password hygiene.
Ensure that you have up-to-date antivirus/antispyware software installed.
If an email conveys a sense of urgency, or uses high-pressure sales tactics, always be sceptical because chances are that a criminal is trying to trick you into giving up your information.
Be aware of your surroundings
On the physical side of things, always be aware of your surroundings. If you don’t recognise someone do not let them into your building, scammers often rely on people being polite (holding doors open etc.)
Research the facts
When receiving an email containing links, do not click on them as they may not be legitimate, and you should always be wary of unsolicited messages. Even if an email looks like it is from a company you use (or have used), do your own research. For example, use a search engine to go to the company’s site, or a phone directory to find their phone number.
Delete any request for financial information or passwords
Any message asking for personal details is a scam.
By educating people on the threats posed by social engineering, the threat can be reduced significantly. Knowing what looks suspicious, what not to click on and keeping sensitive details secure could save an organisation a huge amount of money in the long term.
If you would like to educate your organisation on social engineering and phishing, talk to us about how we can help. Our team of cyber security experts can provide a range of training and services that can help defend your systems, reputation, and bottom line.
Contact us to start a discussion.
Over the years, we have developed a range of content with the aim of educating organisations on cyber security threats and helping them defend their assets and reputation, so for us every month is Cyber Security Awareness Month.
On 26 September, Semafor published a lengthy article written by Jay Solomon claiming that a series of Iranian-American analysts and advisors to the Biden administration had been compromised as part of a long-running Iranian influence operation.
These days, there seems to be a variety of digital technologies on the horizon that are poised to disrupt the way we live our everyday lives.