Beware of social engineering by cyber criminals. It’s an ever-growing threat to businesses worldwide.
The concept of social engineering has been around for centuries. It’s often defined as using centralised planning to manage social change and regulate the future development and behaviour of society.
But in security terms it has a much darker meaning: deception with the intent to gain confidential information for fraudulent purposes.
Before the internet, this sort of deception could only be done face-to-face, over the phone or by sending a letter. Fraudsters had a much more difficult job extorting information or money from their victims.
Dangerous social media
Now social media and email contact often does the legwork for them. The fraudsters can contact thousands of people at the click of a button. They cast their net so wide that the law of averages means they get a rich reward for their criminal efforts.
One of the commonest techniques is ‘phishing’. Emails that invite you to click on a link and to read some information or register for something.
When MWR InfoSecurity did some research last year, it sent out simulated phishing emails claiming to be from an HR department. This fooled three quarters of recipients who all clicked on a link and provided their credentials.
Gary Jowett from CNC in Brighton says: “Bogus emails that catch your eye will often claim to be from an organisation familiar to you and may arrive at a time in the year when you’re expecting a communication. It could be from your bank or the tax office, your credit card company or a retailer you often use. It’s quite easy for fraudsters to read your Twitter or Facebook account to get some clues. And even if they don’t know anything about you, they’re contacting so many people that a certain percentage will always respond.”
Many different threats
Social engineering comes in many guises. There’s also ‘baiting’, where attackers leave a USB stick or CD in your office. If you install it, it plants malware on your computer, giving the culprit access to all your data.
Then there’s ‘pretexting’ where criminals send a text and pretend to be from a trusted entity – such as your IT or HR department. They con you into handing over your password and other login details.
There’s also ‘scareware’ which tricks you into thinking your computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem but you have to pay them some money first.
Gary says: “There are many types of deception to watch out for. The only real protection for your business is to frequently remind staff to treat everything with suspicion in the first instance. That’s the first line of defence. The more innocent and timely something looks, the more dangerous it could be. It’s also important to keep passwords confidential and changed regularly.”