Social engineering can be elaborate and is generally highly convincing, with approaches usually made by somebody you trust or in authority. It is sometimes made more believable by snippets of information which the fraudsters already have about you.
Private individuals and businesses can both be victims of social engineering.
Examples of social engineering
- Responding to a fraudulent email claiming to be from your bank or credit card provider, a government department, a membership organisation or a website you buy from, telling you that you need to follow a link to supply some details – typically a password, PIN or other confidential information. This is known as phishing.
- Supplying details to a fraudster who has phoned you claiming to be from your bank or credit card provider, or from the police and telling you there is a problem. They ask you to confirm confidential information in order to solve the problem. This is known as vishing. They may even despatch a ‘courier’ to collect payment cards or other records from you, known as courier fraud.
- Receiving a phone call from somebody claiming to be a legitimate support agent for your computer or software, and telling you that you have a technical issue. They sound genuine, so you give them your login details which can result in fraud or identity theft. Alternatively you permit them to take over your machine remotely, resulting in them infecting it with a virus or spyware. People claiming to be from ‘IT support’ in your business will normally request your password in order to infiltrate company systems and data.
- Picking up and inserting in your computer a USB stick, memory card, CD-ROM/DVD-ROM or other storage medium that has been deliberately left for you to find, or is given to you. The device contains malware – for example virus or spyware. This is known as baiting.
- In your home or at work, inadvertently granting a criminal physical access to your computers, server or mobile device.
How to avoid social engineering attacks
- Never reveal personal or financial data including usernames, passwords, PINs, or ID numbers.
- Be very careful that people or organisations to whom you are supplying payment card information are genuine, and then never reveal passwords. Remember that a bank or other reputable organisation will never ask you for your password via email or phone call.
- If you receive a phone call requesting confidential information, verify it is authentic by asking for a full and correct spelling of the person’s name and a call back number.
- If you are asked by such a caller to cut off the call and phone your bank or card provider, call the number on your bank statement or other document from your bank – or on the back of your card – and not one given to you by the caller, nor the number you were called from.
- Do not open email attachments from unknown sources.
- Do not readily click on links in emails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email.
- Do not attach external storage devices or insert CD-ROMs/DVD-ROMs into your computer if you are not certain of the source, or just because you are curious about their contents.
You wouldn’t get certain types of emails from your bank, card provider or the police. So STOP & THINK before you become the victim of a scam.
You wouldn’t get certain types of phone calls from your bank, card provider or the police. So STOP & THINK before you become the victim of a scam.
If a computer company calls to tell you that there’s a problem with your machine, it could be a scam. So STOP & THINK before you become a victim.