“Social engineering” refers to the manipulative tactics used by scammers to retrieve sensitive data from (or prompt security mistakes by) their victims. While it is particularly common on social media sites, especially Facebook, it can also occur through workplace usage of devices, potentially causing devastating damage to your business. At alphatech, we have put together a summary of some of the most common ways that people fall victim to social engineering, in order to help you spot these fraudulent threats before it is too late.
On social media, we share far more data than we probably realise, and this can leave us vulnerable to hacking. You will probably have things such as your birthday, the name of your pet, your wedding anniversary and so on visible, and while it’s not recommended, many people use these types of things as passwords. So, by making that information available, it can be much easier for a hacker to access your sensitive data.
Baiting, in which victims are offered a false reward to prompt them to release information or install malware, relies upon human curiosity- making it extremely difficult to prevent. Examples include advertisements that redirect the person using the computer to hostile sites, or advocating for the downloading of an attachment containing malware. Computer users, particularly those working with sensitive information, should never download an attachment that has not been provided by a trusted source- when in doubt, seek professional advice!
Social engineering can also happen over email, and the most sophisticated examples can be very difficult to identify as fraudulent before it’s too late. Scareware, which creates false urgency for the device user through threats or alarms, is often passed directly into the victim’s inbox. The same is true for phishing, a familiar email-based scam in which victims are tricked into taking action (for example, changing an apparently ‘compromised’ password), only for their data to be harvested as they submit it.
Spear fishing requires more effort but is far more likely to succeed since correspondence is deeply personalised to the victim in order to build trust. This is alarmingly successful.
One of the most important things to remember when dealing with social engineering is that, before inputting sensitive data or downloading an attachment, the device user must double-check that they trust the source- it is virtually impossible to eradicate social engineering, but with careful mitigations in place, your business can operate as safely and security as possible.
You should also create strong passwords which aren’t linked to anything personal. So, you might choose a random selection of upper and lowercase letters, numbers and symbols. Or you could create a ‘three word’ password, in which three completely random and unrelated words are chosen, for example: TreeSausageLondon.