Social Engineering is On the Rise: How You Can Guard Against itJune 12, 2018 - 8 minutes read
These days online vigilance and security are just as important as physical security. This is because there are some people out there who devise clever schemes and tricks to wrangle information out of you online that you wouldn’t normally divulge. Once they have gained the information they want, they may be at liberty to pretend to be you, to use your passwords, to empty your bank accounts and more.
The term for this is ‘Social Engineering’ – the art of manipulating and tricking people into offering up private and sensitive information. Wikipedia describes it as “the psychological manipulation of people into performing actions or divulging confidential information” and a “type of confidence trick for the purpose of information gathering, fraud, or system access”.
Confidence tricksters have always been around of course. Fawlty Towers fans will well remember the episode where Basil’s snobbery was exploited by a crook posing as an aristocrat to get cash and freebies out of him! The difference today is that con men and women are more likely to be lurking online and may be even more sneaky and smart at getting what they want.
Types of social engineering
In general, social engineers work on exploiting human weaknesses and emotions – good as well as bad. For example, they might play on people’s trust, greed, curiosity, fear or compassion (or in Basil’s case, snobbery!) all for personal gain.
There are hundreds or even thousands of variants of social engineering. Here are some examples:
Suspicious messages – via email or another means:
- Emails that appear to be from a friend or known contact, but which actually contain an infected link or download.
- Emails asking for ‘more information’ from you, from a legitimate-looking company.
- A request for help and financial support for someone who claims to have been attacked or who is in danger of some kind.
- Money requests from charities that are not legitimate.
- A message notifying you of a huge windfall, such as a lottery win.
- Phone calls asking for professional advice or gaining a business owner’s trust, then sending emails containing promised ‘important documents’. A classic example of this happened in Brisbane just last year, which resulted in perpetrators re-routing large sums of money from a legal firm to their own bank accounts.
Nigerian Prince scam:
Many variants of this one exist. Usually the scams involve a letter or email from an overseas government ‘official’ or ‘royal’ with an offer in exchange for your personal information. Examples of offers include big sums of money, often by cheque, or messages telling you are about to inherit lots of money. Another example is where you get asked for a donation to help fight a ‘dictator’.
Baiting may include offers of ‘specials’ on websites, or in some cases devices such as USBs with enticing labels that are left lying around for curious people to look at. Trouble is the link on the website or the USB can be embedded with malware!
Offers of ‘help’:
If you’ve ever received phone calls or pop-up messages telling you your computer needs ‘fixing’, it’s more than likely a scam. Fraudsters that do this may ask you for access to your system, so they can ‘fix’ it or make it run faster.
Guarding against scams
Many of us are a wake-up to these sorts of scams, having learned the signs or by experience. However, we also need to be aware that new ones are being created all the time, and it’s important to remain vigilant.
Tips for this:
- Do not open emails or click on links that appear to be from someone you know and trust, but which somehow don’t appear right – e.g. they have a different style of language than the sender would normally use.
- Never respond to requests for financial information or passwords, even if they look legitimate. These will almost definitely not be from genuine companies.
- If you get a message offering ‘help’ that you didn’t ask for, it’s likely to be fake, so make sure to delete.
- Be careful when making donations that the charities you give to are legitimate and registered.
- Delete all offers of ‘lottery wins’ or messages saying you are a will beneficiary.
It’s important to practice good cyber security in a general sense as well. Such as:
- Avoid setting the same password for everything you do. If you just have the one, scammers could really wreak havoc if they get hold of it.
- Regularly change your password on your bank accounts and other important sites.
- Use only secure sites (https://) when browsing and especially when making payments.
- Install anti-virus and scan programs and update them regularly.
- Back up your files regularly to an external drive and / or to the cloud.
- Train your staff in how to recognise scams and how to guard against them and report them.
- Always keep your emotions in check when online. As they say – if something appears too good to be true, it probably is!
So, forget people knocking on the doors of elderly ladies to win them over and take over their money! All of us are vulnerable to clever and sneaky online scams and need to take care not to fall into their traps.
Check out our other posts on cyber security here for more info and tips on protecting yourself online.
If you do experience social engineering or another type of confidence trick, don’t react like Basil did! Instead, remain calm and report suspicious messages and emails to your IT provider. If you become a victim of an attack and experience loss, you should report it to the police. You may also want to lodge an insurance claim.
Need assistance or more information?
At CCVT we have recently tightened up our risk management to better manage our online exposure. This includes creating a Delegation of Authority Policy, a Prevention of Fraud Policy, and a Corporate Debit Care Policy. If you would like to know more or to discuss your online security with us, get in touch with our insurance team.
Written by Tess Oliver
Tags: data, risk management, security