In the tech industry, social engineering refers to the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Now you might think only people who aren’t paying attention will be foolish enough to give away confidential information to someone they don’t know, but how often have you read an email from someone and simply trusted that they are who they say they are? I know I have.
Social engineering is a broad term which covers many deceptive techniques and it would take more than this blog to go through each technique – but I will try and outline a few of the most popular social engineering scams that many of us would have experienced ourselves – just to remind us to keep on our toes:
- Phishing. Have you ever received an email that wants you to click a link to claim the £10,000 you have won? Or have you ever won a luxury holiday you didn’t even apply for that you can only claim if you fill out a form with all your contact details? These are known as phishing email scams. They can go from trying to gather your name and home address so they can spam you with more content, to installing viruses on your computer which attempt to manipulate you using fear and threats.
- Pretexting. This technique is slow, but more sophisticated and even more worrying. Pretexting attacks rely on building a relationship with the victim. This build-up of trust can lead to victims disclosing sensitive material to unsuitable individuals. So, in the PR world this pretexting can happen when you start up an email chain with someone you think is a client, journalist or colleague. Once a few emails have gone back and forth you naturally trust that the person you are speaking to is trust worthy and then you might start saying more than you ought…
- Tailgating. This technique plays on our culture of politeness. Who doesn’t, when looking behind and seeing someone walking with them, hold the door open for them? We trust that if they are walking our way they must know where they are going? Who cares if they scan their pass on the door or not. This is where the danger lies. With this level of trust, individuals who could do your company harm are able to walk onto your premises without anyone stopping them.
- Quid Pro Quo. Possibly not an obvious social engineering technique as it happens to everyone often in their daily lives. Have you ever been at an event or walking along the street and to win a “freebie” you have to give them your company/personal email address and some details about yourself? Well, have you ever wondered who is using that information you freely gave out? The majority of the time this is a company or an individual who wants to contact you and sell you their product. But, all it takes is someone with the intention to steal personal information to walk around with an iPad and offer a prize to gather mammoth amounts of information for free.
So now that I have worried you with all the potential dangers on and offline, let’s go through what easy steps you can take to protect personal and company information. I learnt these top tips from a Sophos talk at IP Expo 2016 in October, using their advice I have really started to see the danger of being too trusting.
- Slow down and do some research. When you receive an email it is instinct (especially if this email is to your work account) to respond immediately. Instead take some time to ensure the email address you are replying to is what it should be. So if you think you are responding to an Apple.co.uk email and you notice the email address is App1e.co.uk (notice the 1) you should stop what you are doing and delete that email and let your IT department know immediately.
- Don’t be so quick to give away personal information. People naturally trust big banks or companies with their personal details, why? They are not hack proof, just look at “Talk Talk” where a 17 year-old hacked into its customer data just to show off to his friends. If someone calls you claiming to be from a bank, phone them back using the company number from the main website. If they are a big company they will have a record of the previous call. If they don’t, it was likely a scam. Be aware of what information companies ask for, if you wouldn’t tell a random person on the street why should you tell someone over email or on the phone?
- Don’t be so trusting. In today’s society it is seen as rude not to hold open the door, or offer to help someone. But, it is not your responsibility to provide people access to your workplace. Everyone should have a card to get into the building, so ensure they use it.
We are deep into the January sales, so everyone is currently receiving numerous emails from companies offering deals, products or opportunities to win. Some of these can be legitimate offers but be careful, and do your research before trusting anything from anyone you don’t know – or you could live to regret it.
Julian Sole, Graduate Trainee, Technology