In the context of IT security, social engineering means the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. While systems become progressively more secure, humans unfortunately remain vulnerable to manipulation. This is because criminals can take advantage of people’s emotions to persuade them to provide personal or other sensitive information, that they would not usually share.
How does social engineering work?
Scammers use human emotions; curiosity, fear, and greed, to make people take actions they would normally avoid. A social engineering attack can take place in the real world as much as in the digital one, but they are always designed to make the victim share information or download malicious software.
One of the most common tactics used is baiting. This happens when the target of an attack is tempted into downloading malware or sharing information with the promise of a reward or exclusive access to specific information. Baiting happens in the real world with, for example, USB devices left in conspicuous public places. These end up being picked up by curious individuals who cannot resist the temptation to open them on their own devices to see what content they contain. More commonly, baiting happens through email or on the internet with, for example, messages telling the user that they have won a prize or been selected for some award and asking them for personal details, or to access a link, to ‘complete’ the process. If you unexpectedly receive a message claiming that you have won something or making an offer that seems too good to be true, treat it with extreme caution.
Another very common form of social engineering is phishing. Phishing normally happens via email although it can also occur by SMS (Smishing) and Voice (Vishing). A phishing attack normally focuses on fear, rather than curiosity or greed. It normally uses a sense of urgency or threat of negative consequence to push the user into sharing information or downloading malicious files. These attacks normally take the form of telling a user that an account has been compromised and details are needed ‘immediately’ to rectify the situation. The threat of a phishing attack can be minimised by ensuring you have adequate anti-virus software installed on your devices and by taking a few precautionary steps such as checking the email addresses of senders and the URLs included in messages. Also, keep in mind that legitimate communications from organisations should be addressed to you personally and should never make you feel like you must share sensitive information under pressure. When in doubt, always contact the organisation through a known safe channel.
A more sophisticated form of phishing is called spear phishing. This normally targets senior management or officials withing organisation who have access to sensitive or privileged information. In these cases, attackers spend much more time investigating their target to craft messages that include highly specific details or which appear to be sent from key individuals which make them much harder to detect as malicious. Spear phishing attacks require a lot more research and effort from hackers and can evolve over months as they build up the trust and confidence of their target. However, the potential rewards of compromising the accounts of high value targets makes spear phishing an attractive proposition for criminals.
Fear and pressure are also used in a tactic known as scareware. This tactic sees scammers bombard the user with messages while they are browsing the internet telling them that their device has been infected by malware and pushing them to click on a link to download some software to scan or clean their device. Of course, the software installed is of no benefit to the user, only to the scammer.
Stop and think!
Bad actors will always exist and attempts to gain access to your personal information or accounts are inevitable. That said, you can significantly reduce the risk not only be installing the appropriate software on your devices and keeping this up to date. Being cautious and asking yourself some simple questions like; Is this offer too good to be true?, Was I expecting this organisation to contact me this way? Do I feel under pressure to take a decision?, will also help you to spot potential social engineering attacks. Stop and think before you click.
Finally, if you receive a message that claims to be from MeDirect but you are not sure of its authenticity please contact us immediately on (+356) 2557 4400. The information you provide will be used to help reduce financial fraud.