Social Engineering
by Rob Sartin - Tue 16 Nov 2021What if I was to tell you that the weakest point in your IT security is your users? You may not believe me, you trust your employees and users, they’re smart people and they’re loyal but it’s true and most victims don’t even realise what’s happening until it’s too late. Social engineering is one of the most methods by criminals and mostly because it is so effective.
So how does social engineering work?
Let’s try something together. Out loud spell the word “roast” in under 5 seconds.
Now spell “coast” out loud in under 4 seconds.
Now spell “most” in under 3 seconds
Great.
Now answer this question. What do you put in a toaster?
You answered toast, didn't you?
That's okay. Most people do, you may have realised this was wrong just after or even whilst you were saying it, but you were feeling drawn to that answer and that is because of a couple of reasons. First, I set the idea of a time limit at the start, this will get your mind to adopt a fast-paced style of thinking which will tempt you to take shortcuts and not think things through properly often putting you into an associative mode of thinking. I also set a frame which sets context around a mental process or a way that somebody views the world. The frame in this case started with rhyming words (that all rhymed with toast). So, whilst you’re feeling rushed and thinking of these words, I asked the question and planted into the frame a toaster, so you’re thinking about a toaster and toast, all of this combined just compels you to answer toast.
There are many different methods to social engineering and often criminals will target victims through two main contact methods, on the phone and online.
When criminals target you by phone they will often pose as employees from say your bank, internet provider or ‘IT company’, they will try to win your trust by using familiar fraises such as “I must make you aware that all calls ae recorded for monitoring and training purposes”, they may ask some basic ‘security’ questions often using readily available information found through a bit of light research. Once they feel they have your trust they will then proceed to try and obtain what they’re after (bank details, passwords, access to a computer etc) and will often imply or stress the urgency behind them getting what they need.
The most common technique by far is online, this is known as phishing and could be something as simple as an email appearing to be from someone you know and trust that is asking you to do something (transfer some money, send a password over etc), or even guide you onto a fake version of a website you are familiar with, trust and often enter details into, once you have done this the information you have entered is readily available for the criminals to access and use.
How to protect yourself?
First of all, never give out your passwords, for anything, to anyone, if someone (such as your IT) genuinely need access to your account then have them reset it and give you the new one, then change this to something only you know as soon as IT are finished.
If you are entering any details on a website, check that the address at the top of the window is correct and the address you would expect, look around the website and check everything looks okay and is working as expected.
Never open suspicious attachments even if it is from someone you know and trust, check with IT or the person reported to have sent it if you are unsure.
If someone is asking you to do something out of your ordinary day to day tasks, take the time to check with the person or persons reporting to be asking you to perform the task or handover the information by using contact details you had prior to the request (for example phone them on a number you already had and not the one in the suspicious email).
Read emails carefully, look for poor wording or spelling mistakes, check the email address that sent the email against the email address you know to be correct. Check the layout and format of an email compared to emails you know to be genuine.
If you are ever in doubt, terminate the line of communication/don’t access the email or links whilst you verify they are who they say they are. Again, you can verify someone’s identity by contacting the person/company directly via independently sourced contact methods and/or by speaking with your IT team.