There has been a lot of talk recently about Social Engineering scams, but what is social engineering?. Social engineering is a term used in social science to describe the psychological manipulation of people into taking a particular action and influencing large groups of people. It is a technique used for good and bad. Politicians and governments use social engineering, and advertisers are known to use social engineering to convince the public to purchase products.
In recent months, most talk of social engineering has been about information security. Hackers and other online criminals are now using social engineering techniques to get Internet users to reveal their sensitive information, such as login names and passwords, and even credit card numbers and bank account details. The majority of large scale data breaches caused by hackers and malicious outsiders are usually discovered to include an element of social engineering.
How can you protect yourself from being manipulated into revealing information? How can you protect yourself and your company from employees falling for social engineering scams?
How is Social Engineering Used by Cybercriminals?
The commonest methods employed by cybercriminals to manipulate users into taking certain actions are detailed below. Being aware of how social engineering is used will help you to protect yourself and your employees from becoming victims of scams and phishing campaigns.
Abuses of Trust:
Online criminals know that if they want to get something from people, it is far easier to get what they want if they pretend to be someone that person trusts. People are wary of strangers after all. If a total stranger came up to you in the street and asked for your PIN number or email address and password, you would naturally not tell them. However, on the Internet it is not always so easy to tell if someone is actually a stranger. Seemingly legitimate reasons are also provided for disclosing such information.
Emails sent from colleagues, friends and family members
If you receive an email from someone you trust, chances are you will be more likely to respond to a request than if the same email had been sent by a stranger. If a family member sent you a link asking you to click, you may not even think twice before you click your mouse.
If your best friend, brother or sister sends you a URL saying, “You have got to see this, it is so funny!” You click the link, you see a video, and you wonder what on earth they were thinking about. The video wasn’t very funny at all!
Unfortunately, the reason the link was sent was not because it contained side-splitting humor, it was because clicking on the link caused malware being downloaded to your computer. The email was, of course, not sent from the person you thought it was, but by a hacker who was pretending to be someone you know.
It is not just “must see” images, jokes and videos that are sent. Many emails are sent that manipulate individuals by taking advantage of compassion or a desire to help a friend or family member in need. Emails are supposedly sent from individuals that find themselves in a spot of bother. A friend traveling abroad has had his wallet stolen and is stuck and can’t get home. He needs money transferred so he can buy a plane ticket to get home. In actual fact he is on the beach, and a hacker has gained access to his email account, not his wallet.
Phishing: Manipulating people into revealing confidential information
There has been a huge increase in the volume of phishing emails being sent in recent years. This is because these social engineering scams can be incredibly effective. They are used to get individuals to reveal highly confidential information that under normal circumstances they would never divulge.
Some of the most common social engineering scams used by online criminals to obtain sensitive information are detailed below. Be particularly wary if you receive one of these emails:
Urgent Charity Donation Required
Nothing brings out the scammers faster than a natural disaster. When people are suffering, have lost their homes, been flooded or hit by a hurricane, criminals take advantage and try to take their share of donations. If you get an email request money to help people in need, don’t respond to the email. Find the website of the charity and make a donation directly through the website or follow the instructions listed on the website. Don’t click the link provided. Criminals do not care about taking money from the needy, hence the huge volume of social engineering scams after a natural disaster.
You have won a prize draw, lottery or other prize
Don’t let the thrill of potentially receiving a large sum cash get the better of common sense. In order to win a prize draw, you first need to have entered. Don’t call the number supplied in the email and do not visit the link. You will need to supply bank information for a transfer (or your credit card details). There will only be one winner, and it will not be you.
Package or mail cannot be delivered
Courier companies do send emails informing you that you were out and they have not been able to deliver a parcel, but are you actually expecting one? Even if you have a birthday approaching or Christmas is just around the corner, do not respond to the email request directly. Use the tracking/consignment number to check, but check via the company website by entering in the URL into your browser. The links contained in emails could take you to a phishing website, and the information you enter will be collected by criminals.
Upcoming Elections – Party donations required
Want to do your bit for the Democrats or Republicans? Does the Green Party urgently need your cash for their campaign? Want to show your support for Labor or the Conservatives? Good on you! Just make sure that your donation goes to the right place. For that, you must find the official website and follow the instructions provided. Never click on a link in an email. Social engineering scams are very common in the run up to elections.
Summary of Good Practices to Avoid Social Engineering Scams
These tips will reduce the likelihood of you falling for social engineering scams. You need to be security aware and always be cautious about revealing any information, opening attachments or clicking on links.
- The first rule to avoid becoming a victim of a phishing campaign is never to click on an email link
- The second rule avoid becoming a victim of a phishing campaign is never to click on an email link
- Stop and think before you respond to any email request
- If you are not 100% sure of the genuineness of an email, mark it as junk or delete it
- If you are at work, and think an email may be a scam, seek advice from your IT department
- If you are asked to reveal login information or other sensitive data, report it. Do not respond
- If you want to respond to a request for a donation, search on google and find the official site. Get information on how to make a donation. Don’t trust the information provided in the email
- Never open an email attachment unless you are 100% sure it is legitimate
- If you have accidentally fallen for a scam (or think you may have) seek professional advice immediately, and change all of your passwords.