5 November 2018
What is Social Engineering?
We’ve all come across cyber scams in our personal lives, such as fake messages from your bank seeking your financial details, or emails supposedly from reputable companies asking you to click through (allowing a hacker to place malware on your computer). These types of scam are known as ‘social engineering’ and can come in several forms.
In this article we will highlight five of the main fraudulent schemes used by cyber criminals. Some you will have knowingly come across, others you may have come across without realising. You may be surprised with just how up close and personal social engineering can be.
Phishing is the most common type of social engineering. An offender will seek to obtain the personal details of the intended target. Quite often they will come in the form of an email and incorporate a sense of urgency to manipulate the user into acting promptly.
Phishing emails often contain short URL links to suspicious websites which may at first glance appear legitimate.
To avoid falling foul of phishing scams, delete any emails with unusual content from senders you do not know. Do not open any links or attachments that they send from within these emails, as you could be giving a cybercriminal the opportunity to infiltrate your systems. You should also be wary of any emails that have come from people you know but that contain something you would not expect them to send, or that have odd spelling mistakes. Cybercriminals will often try to mimic the email of a trusted person to convince you that the subject matter of the email is safe to open.
Pretexting can be very similar to phishing. The main difference is that pretexting involves building a false relationship based on trust, whereas phishing is based on urgency and fear. The attacker will build a credible story to make the target feel secure, before attempting to gain access to their personally identifiable information.
A commonly used angle for pretexting is when an attacker poses as an external IT provider and is able to gain access freely into a company’s computer systems.
Make sure you check any sender’s credentials thoroughly before allowing them to gain any further information. Do your own research rather than relying on what they tell you.
Baiting uses the promise of a goods to entice targets into handing over their personal details. There are many examples of this method being used, with mixed results.
Baiting can occur at events such as trade shows and exhibitions and does not always involve a financial transaction. For example, a complimentary pen drive could contain malware that will damage your computer or give access to your files and information.
Something as common as a free movie website could be a baiting scam. Just remember, if something feels too good to be true, it most likely is. If you do take a complimentary gift, make sure you trust the source. If you take on this philosophy, it will be difficult to fall foul of baiting.
This method involves impersonating someone to gain access to a restricted area, such as a company’s office floor.
In this scenario, the criminal could impersonate a delivery driver, waiting outside a company’s office for an unsuspecting employee to hold the door open for them. The employee is unaware that they have just allowed access to an unauthorised visitor. Now the intruder has potential access to any sensitive documents or files left open on employee desks.
To prevent this sort of thing from happening ensure that you check the credentials of any guests that enter the building. Create an office environment where employees are security conscious. Make it compulsory for employees to lock their computers and keep their desks clear, with all sensitive information stored away.
Fake President Fraud
This method typically involves an employee within a firms accounts department being contacted by someone impersonating a Senior Executive or Director. Like phishing, this method relies on urgency, with the criminal advising the employee that they need them to process a discreet and urgent payment. The criminal will then provide the employee with transfer details.
By the time the employee realises what’s happened, the criminal has already moved the money before it can be stopped or traced. To help prevent this happening to your company, encourage your employees to be sceptical of any unusual requests via telephone or email.
For more information, please get in touch with:
James Groves, Assistant Manager – Commercial Division
0207 330 8707