Cyber social engineering scams have been around for more than a decade and yet people continue to fall for them every day. Down to a lack of awareness and basic cyber security training, people fall for the same tricks every day.
Unfortunately, the weakest link in your cyber security is also usually your greatest asset – your team members. At claireLOGIC we’re keen to spread awareness to help you fight back…
This is the first of three articles, giving an overview of today’s most common social engineering scams. After all, if everyone can learn to more easily identify these attacks, your business will avoid a lot of damage and chaos they cause.
What is Social engineering?
Social engineering is simply the art of manipulating you to give up confidential information. Criminals are usually trying to trick you into giving them your usernames and passwords, confidential information or even access to your computer. If they do manage to access your computer they may secretly install malicious software; this ‘malware’ could give them access to your passwords, company data or banking information. Additionally, giving them control over your computer could even give them access to your entire work network.
Ask any cyber security professional and they will tell you that the weakest link in the security chain is the person who accepts a person or scenario at face value.
Think about it this way – you could have deadbolts on your doors, guard dogs, alarm systems, intercoms and floodlights, but if you trust the person at the door who says he is the pizza delivery man, you will just let him in. You are then completely exposed to whatever risk he represents. That is social engineering in a nutshell. But how do criminals use the same principle in the virtual world? Read on to find out what you should look for.
Why don’t they just try and hack your computers?
Criminals use social engineering methods because it’s usually much easier to manipulate *you* than to hack your computer system. For example, it is much easier for them to fool you into giving up a password than it is for them to try to hacking your password (unless of course your password is really weak, or written on a post-it note on the front of your PC).
Data security is all about taking sensible steps in a layered security approach and teaching everyone with access to know when and where not to take a person at their word. Helping your team know when the person you are communicating with is who they say they are is a key area. The same is true of online interactions and emails you receive – are you confident when to trust that this interaction is legitimate and safe?
What is Phishing?
Phishing is the leading form of social engineering attack, typically delivered in the form of an email, chat, web advert or website that has been designed to impersonate a real organisation. Phishing messages are designed to create a sense of urgency, fear or both, with the end goal of capturing your sensitive data.
A phishing message might appear to come from a bank, the government or a major trusted corporation. The calls to action vary – some might ask you to “verify” your login information of an account, and include a mocked-up login page complete with logos and branding to look legitimate.
Some claim you have ‘won’ a prize or lottery and request access to a bank account to pay in your winnings. Some ask for charitable donations after a natural disaster or tragedy. Some give you the option to ‘cancel a purchase’ you didn’t make.
Below is a real example of a Phishing attack – at first it looks like a genuine email from Apple:
It has a false charge and an invitation to click a button if ‘You didn’t authorise this purchase’, which you obviously didn’t.
Apple ID is a familiar term, but if you think about it for a moment, why would you get an email from “Apple ID”? Also, when you look at the actual email address, as opposed to the displayed name of the sender, the email address, as in this case, is often obviously bogus.
There are some very good antivirus, anti-spam and malware detection solutions available. Using a layered approach with these will dramatically cut down the amount of attacks that will actually reach you or your team. The criminals are constantly trying to find new ways to reach you…
If you would like to discuss your company’s data security, as well as how to minimise risk and recover as easily as possible from an attack, then please just call us on 01865 989144 or contact us today.