Approved Business Logo
Login

Approved Business uses its own and third parties’ cookies in order to improve your experience and our services. These cookies provide a better performance, enhanced features and enable certain functionalities. You can obtain more information and learn how to change the configuration of your browser, including how to block some cookies, in our Privacy Policy. However, you should know that blocking some types of cookies may impact your experience on the site and limit the services we are able to offer.

14 April 2022 | The Bureau

What is Social Engineering?

The need for strong firewalls, anti-malware software and operating system patching is now understood; the big issue continues to be the human factor.

It is estimated that less than 1% of attacks are now targeted at system vulnerabilities, with staff curiosity and trusting nature the cyber criminal’s weapon of choice. It seems we just cannot stop ‘clicking’ those links and attachments.

One of the top cyber-attack methods today is called ‘Social Engineering’ which is the term used to describe a collection of cyber fraud techniques increasingly employed to trick companies and individuals into handing over personal data, money, and other assets. It manipulates, disrupts, and deceives to gain illegal control over IT systems, personal desk top computers, mobile phones, and tablets.

A social engineering campaign will identify one or more particularly valuable targets, such as a large corporation, a multi-millionaire, celebrity and even you. The campaign will gather as much specific information as possible about the target using data sources such as Companies House registrars, trade associations, sports and social clubs, schools, universities, social security numbers and social media. Since many individuals now record a lot of their personal details on social media, it is not surprising that cyber criminals find so much so easily.

As office technology becomes the driving force behind businesses of all sizes, the need to protect it from cyber attack grows. The thought of a data loss incident, Phishing fraud, Ransomware and Social Engineering scams is unthinkable, each with the potential to do untolled damage to customer relations, and levy heavy fines.

Why should we worry?
The very targeted nature of social engineering means that the fraud it likely to be greater and more damaging. With so much data available online today, the task of building a well targeted and convincing ‘social engineered’ campaign is relatively easy to fool even the most vigilant person.

Favourite Social Engineering Techniques

Baiting
Baiting is a common ploy to tempt an employee’s curiosity by planting a CD or USB somewhere obvious like on a desk or next to a computer. The employee’s curiosity is aroused and picks it up and inserts it into their laptop or desk computer, soon after or later that day it will download malware onto the computer. The cyber criminal will have ‘hacked’ their computer and gained access to logins, sensitive information and confidential files. This is no longer so common now that employees know better than to pick-up stray CDs and USBs!

Delivery or Diversion Theft
This is where deliveries, postal services and couriers are targeted by cyber criminals to trick a delivery firm into making the drop somewhere else; sometimes referred to as ‘round the corner theft’. The objective is to con the person responsible for a legitimate drop-off to deliver somewhere else.

More recently during the pandemic months, this has taken on a new form where rogue delivery firms disguised as genuine providers like Amazon, DHL, DPD, Parcelforce, and Royal Mail, claim to have a parcel that has not been paid for and promising to deliver once the payment is made. The cyber criminals then put-up a fake bank payment screen and steal the money.

Honeytrap
This is usually aimed at men where attractive women are promoted via an online dating site or similar, to trick them into clicking a malicious Web link. Curiosity online is dangerous and can lead to all sorts of awkward scenarios as well as being costly.

Phishing
This is the most notorious cyber-crime technique where criminals seek to steal IT and computer user names, passwords, and credit card details usually via a phishing email appearing to come from a known and trusted provider, work colleague or personal friend. Bitcoin promotions, utility companies, HMRC and couriers that each seem genuine and harmless enough are increasingly hi-jacked by hackers and fraudsters.

Some of the biggest Phishing frauds succeed with no more than a simple email instruction; without any attachments or embedded links. All you need to do it seems is write a convincing email. Add to this the growing content published on social media by private individuals and firms, it is relatively easy to piece together profiles through which to steal personal data, passwords, identities, Cloud system logins and bank details.

Microsoft Office 365 users are regular targets where a phishing email is sent purporting to be from Microsoft requesting the user logs into their Office 365 portal, but which is instead the criminal’s Office 365 login screen tricking the user into submitting their credentials to the attackers This is where multiple verification methods come in handy.

Firms can protect themselves by applying for the Cyber Essentials Accreditation Certificate. This is like a Kitemark for Cyber Security and asks what security methods are already in place such as firewalls, logins, virus prevention, passwords, data security protection routines, cyber incident reporting, software patching and controls, security policy standards for employees and the use of office technology, including mobiles which is now incorporated into the ‘Lexcel’ Legal Practice Quality Mark standard for legal professionals.
The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium to create this set of basic technical controls to help organisations protect themselves against common online security threats. The full scheme, launched on 5 June 2014, is backed by industry including the Federation of Small Businesses, the CBI and most insurance companies. Cyber Essentials is suitable for all organisations, of any size, in any sector.
The National Cyber Security Centre (NCSC) also has a lot of useful guides on cyber security including the Cyber Essentials guide at https://www.ncsc.gov.uk/cyberessentials/overview

Quid Pro Quo
You give me something and I will give you something in return. Typically, this will be an email offering you a free shopping voucher, or BITCOIN sign-up screen and similar, to encourage the user to click to accept or enter. This might include an attachment or an embedded link where upon the user downloads exploit code from which their PC becomes infected. This now happens on mobiles.

The Facebook video link at https://www.youtube.com/watch?v=yrjT8m0hcKU&t=4s is a good example of this. A café asks customers to like their Facebook page in return for a free muffin. The customers login to their Facebook pages to ‘Like’ the café Facebook page. The black van across the road picks up all their personal details which are relayed back to the customers to their great surprise! There are plenty of examples of individuals and firms posting far too much personal and sensitive information online for cyber criminals to pick-up.

Rogue Virus Scans and Scareware
Fake or Rogue anti-virus, anti-spam and anti-spyware are frequent arrivals in email in-boxes designed to trick the user into downloading or running fake scans which then infects their PCs with malware or ‘hack’ exploit code. Scareware is another malware tactic that cyber criminals use to manipulate users into doing something they do not need to do, perhaps with time limits, expiration or termination threats. This is typically accompanied by a suitably tempting or scaring subject line. These emails should be deleted.

Spear Phishing
This is where a phishing campaign becomes very specific, targeting a particular firm or individual. A spear phishing campaign may take weeks or months of background research by the fraudsters to gather enough information to make their scam convincing enough to work. Having done the research, the target will be attacked and very likely robbed of login credentials and other sensitive data. It sounds completely inconceivable that anyone would go to so much trouble, but they do.

Vishing
This is another version of phishing where a mobile phone is attacked using a bank’s interactive voice response system (IVR) to deceive a user into handing over bank logins or similar credentials. The victim is sent a voice activation message to call their bank or similar, usually with a free number to authenticate the details. Some vishing scams will have the attacker call the victim, claiming to be a customer services agent.

Water-Holing
This technique takes advantage of Websites people regularly visit and trust. The attacker will research the selected group of Web users to discover the sites they most regularly visit and seem to trust. The cyber criminal will then look for the vulnerabilities on these sites, such as weak passwords, poor software patching processes, or limited authentication procedures, to plant exploit and other nasty code onto the site. It is then a matter of time before one or more of the target users becomes infected with malicious code or is hacked.

Cyber security breaches are never the result of something that could not be prevented.

Other Press Releases from The Bureau

09/1/2025 - Web Security - why you should use https:// At a time when every organisation must pay more attention the security of the personal data they hold, updating your Website to a secure https:// address is an essential action to take now.
23/1/2024 - The Case for Cyber Insurance Cyber insurance is a hot topic in boardrooms today with discussions about employee security awareness training programmes coming in a close second. Insurers today offer a wide selection of innovative cyber related insurance products to afford their policyholders protection against all manner of cyber-attacks.
23/1/2024 - Hybrid Office The term ‘hybrid office’ was, until the pandemic came along unheard of, but now it is talked about wherever you go. The hybrid office model is a flexible model allowing employees to work wherever they want, whether in their offices, at home or completely remotely. Most firms have now come to realise that work can be done anywhere, and with the right security credentials in place, safely and without the risk of hacks, phishing, and ransomware attacks.
30/11/2023 - Cloud Services - Things Worth Checking Many organisations have moved their office systems onto Cloud based arrangements deciding that it is both cheaper and safer to hold their precious data there rather than maintaining an in-house server facility of their own. Since most Cloud service providers are large multi-national businesses, it is reasonable to assume their systems are secure. However, it is worth noting that the majority of recent cyber break-ins have occurred on Cloud based services
04/4/2023 - Email marketing was the most used digital communication tool in 2022. When the Covid pandemic struck the world was forced to change tact and reassess the need for face-to-face meetings and move over to a more digitally based strategy like email and social media. This strategy continues today with last year seeing email marketing the most used digital communication tool with over 4.0 billion daily users.