You’ve probably heard the term social engineering used alongside words such as hacking, scams or phishing, but what does social engineering actually mean?
In simple terms, social engineering is the act if manipulating, influencing or deceiving someone in order to get them to do something. In terms of technology, this means trying to manipulate someone into completing an action that will give the attacker access to your details or install something on your computer.
Social engineering is the umbrella term for many different techniques that criminals use to illegally access data and install malicious software.
How does it work?
Social engineering is most commonly practiced online, but it can also be through phone calls and increasingly text messages.
An attacker will send you some form of message urging you to take immediate action, usually with severe consequences if not followed. They will either get you to provide information such as your personal details, financial or credit card information or they will get you to install malicious software onto your computer without your knowledge.
The trick to social engineering is playing up to human nature such as urgency, fear or carelessness and proving a good forgery, where the victim believes they are communicating with a trusted source.
Examples of Social Engineering
There are many different techniques and examples of social engineering that isn’t just limited to technology. We’re going to focus on the most common examples that we see come through.
Phishing is when a scammer sends out an email claiming to be from a well-known organisation in an attempt to gather personal and financial information. You typically see these emails come from banks, mail carriers etc.
Several recent phishing campaigns targeting Australians have featured precise replicas of the imitated organisation’s brand design and competent use of English, where the typical fake email might historically have been easier to identify thanks to spelling errors, poor grammar and inconsistent design.
An SMS is sent to your phone that appears to come from a trusted source or contact, usually alerting you to some kind of problem that needs immediate attention.
Like a traditional phishing attack, the message will include a link that is designed to look legitimate but will redirect you to a fake site, where the goal will be to either steal your credentials or install malware.
Spear phishing is a much more targeted attack, unlike traditional phishing where a mass email is sent out.
Spear phishing involves the attacker researching their target and the email is usually addressed by name, making it seem more legitimate.
CEO fraud is when attackers impersonate the CEO or executives in a company to try and fool an employee to send wire transfers or share sensitive information. Attackers usually spoof their email addresses so it appears the sender is legitimate, often they will copy the email except for one letter.
What can you do?
It’s important to make sure your staff are trained in how to spot these different social engineering techniques and know what to do if they think something they’ve received is suspicious.
Consider conducting phishing tests on your staff and holding regular training so they are up to date on the latest tricks that attackers use.