Social engineering is the broad name given to a range of activities, typically using psychological manipulation to influence a person into performing a particular action or providing information that may not be in their (or their employers) best interest.
In the context of cyber security, these attacks typically come in via multiple methods, such as:
- Phishing - Emails purporting to be from a trusted/legitimate business, typically requesting verification of information.
- Vishing - voice phishing whereby usage of telephone system to gain personal or financially gain
- Smishing (SMS phishing)- essentially providing information via malicious text messages or divulging of information
- Impersonation - pretending to be someone/something else to gain access.
Normally, the cyber attacker will use one or multiple personality or psychological approaches in either of the above methods of approach to order establish the need for personal information.
For example, they may try to:
- Use authority to obtain the information
- Intimidate a person into providing information
- Consensus (follow the herd mentality)- making victim believe that everyone else is doing a particular action
- Use scarcity to generate demand (e.g. ‘You’ll miss out on a particular saving if you don’t apply now!’)
- Urgency- their ‘boss’ needs them to buy iTunes gift cards immediately
- Familiarity/Friendship - working on the premise that you’re more likely to do something for someone you like (or love)
Some of the more common methods to approach would-be victims may come via:
- Honey traps - method of approach is attackers posing as a fictious attractive person online, leaning on the lonely. An example of this may be a perceived love-interest who needs money to get back to a particular country and asks for airfare funds to return home.
- Phishing - approaches to email scams are often high volume/low return. Posers are often purporting to be from highly reputable companies, like banks or institutions, inciting recipients to reveal personal information, or take up fake offers.
- Tail gating - following someone authorised into an area the attacker doesn’t have access to themselves. Or conversely, allowing a ‘NBN/Telstra’ tech access to the network cabinet because of a “internet issue”.
- Quid Pro quo - Calling from a “technical support” company, hoping to hit someone with a legitimate problem, and ‘help’ them solve this. In the process, the attacker will have the user install some malware, thereby allowing them access to their computer.
- Baiting - leaving something in front of the victim, so they act, e.g. leaving a USB in the carpark, which when connected, runs a piece of malware.
So ultimately, how do you prevent social engineering attempts on you or your business?
- Question why someone needs you to perform a certain action. Does the boss genuinely need $2000 worth of iTunes gift cards?
- When receiving a call from scammers, don’t answer their questions with “yes”/”no” answers, as these maybe recorded and played back. Hang up
- If you receive a questionable email that appears to be from someone you know (e.g. from an unknown email address or a variation of their genuine email address), do not reply to it- call the sender back using another method such as phone.
- When receiving a call, question their need for particularly sensitive information. E.g. do they really need your password?
For further security awareness training and support for your business, get in contact here.
