What is it and how does it affect everyone?
By Samantha Wharton, Founder of The Hemera Group
“In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. It has also been defined as “any act that influences a person to take an action that may or may not be in their best interests.”
[Excerpt Wikipedia]
Technology has provided society with incredible tools that assist in so many ways. The downside of technology is that those who have an interest in harming people have every increasing and readily available tool to do so. Social Engineering can happen on the phone, online or in person in an office/business.
Examples of Social Engineering are plentiful but can be categorized into five main areas that everyone should watch.
- Phishing: Designed to obtain information by either using misleading online links (email attacks and impersonation emails) or by threats, fear to have victims respond quickly.
- Pretexting: Designed to obtain information by creating fabricated scenarios such as confirmation of identity requests or impersonating legitimate IT or HR services, thereby creating a false sense of security and trust.
- Baiting: Designed to obtain information, but in this case, leverage a gift or something free to entice or trick people. Sometimes CDs are sent to homes and businesses that, when installed, infect computers with malware.
- Tailgating: Designed to obtain information by physically following or piggybacking legitimate employees into restricted areas of a business or office. They pose as a delivery person or use false identification and impersonation techniques, gaining trust by false pretences.
- Quid Pro Quo: Designed to obtain information by offering a false benefit or favour in exchange. Impersonation of government officials, for example, where actors ask victims to provide information before they can proceed to talk about something important.
Many offenders do not actually live in the same country as their victims, making it hard and sometimes even impossible for authorities to take action. Banks and financial institutions have very vigorous checks and balances to prevent clients from being defrauded; however, once you give your information away, you are basically on your own.
The best advice to take is to make sure you are prepared for Social Engineering attempts before it happens to you. Being proactive is much cheaper and takes less time.
Once you have been hacked, it can be very expensive and a very lengthy ordeal to get back to normal.
The following are just some of the scams being used today to be wary of:
- Phony charities and fake religious schemes
- The promise of very high returns for small investments
- Impersonating government officials
- Coaxing compliance of IT Help Desks by false pretences
- Bullying compliance from someone acting like a person in authority by way of threats
- Two-stage scams like sending an email and then phoning to ensure compliance
- Calls from the government falsely claiming criminal charges
Private and commercial online users are equally in jeopardy of Social Engineering. Some common-sense best practices include:
- Create and use strong passwords
- Use different passwords for different applications
- Never share your passwords
- Change your passwords often
- Back up your important files often
- Do not open any email from an unknown source
- Lock your computer when not physically present
- Purchase legitimate anti-virus software
- Do not loan out or use loaned out software
- Question and refuse ‘Too good to be true’ offers
- Develop strong company policies for computer use
- Create barriers for social networking in business
- Turn off computers when the day is done
- Have professionals routinely check computers for illegal activities including hiring penetration testers
- Create robust physical barriers to entry into businesses
- Create strong governance for corporations and businesses that includes checks and balances preventing Social Engineering attempts
- Train and routinely communicate standards to all employees regarding physical and online security
- Use professionals to test for compliance
- Create roles in your business that impose two-stage and three-stage barriers to prevent theft of critical information
- Ensure business continuity protocols are in place before a computer hack comes your way
And remember, if it is too good to be true, it likely is. Government officials, police and banking representatives will never ask for passwords over the phone. Be prepared and keep safe.