Published: 11th September 2020
In our Cyber-Safety Series we explore the common ways that cyber-crimes can take place, so you can be better informed to protect yourself from these attacks.
In this article, we explore the topic of social engineering in cyber-crime.
What is social engineering?
Social engineering is the art of manipulating people and exploiting human psychology to gain access to sensitive data, systems or confidential information.
Criminals use social engineering as a tool to gain unauthorised access to information. They use this technique because it is usually easier to exploit a person’s natural inclination to trust than it is to discover ways to hack your account or software.
For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is weak).
Some common themes in social engineering include:
- Trust: Pretending to be a close friend or relative
- Threat: Threatening to cut-off the person from an account/service.
- Greed/Entitlement: Saying you won something or asking to share something to get a gift.
Examples of social engineering:
- Phishing is the most common form of social engineering. Phishing can take place through many digital channels but email is the most common. The message appears to come from a legitimate source and instead tricks people into providing their information or clicking on malicious links. Statistics say that about 91% of data breaches come from phishing.
- Pretexting is where an attacker presents themselves as someone else to obtain private information. The attacker tries to convince a victim to provide valuable information or access to a service or system.
- Whaling is a form of social engineering where the target of the attack is a "big fish" to capture - usually a senior employee or other important individual at an organization - with the aim of stealing money or sensitive information.
- Vishing is when social engineering taking place over the telephone, sometimes with a rogue "interactive voice response" (IVR) system, mimicking a legitimate institution to persuade you to supply your credentials and other data. The most popular vishing attack is the ATO (Australian Taxation Office) scam.
- Baiting is where hackers use a promise of an item or good to deceive the victims. Baiting relies on the greed or curiosity of the victim. The most common example of baiting is strategically leaving malware-infected USB sticks lying around public areas to exploit people's curiosity.
- Quid pro quo attacks are carried out by low-level attackers, who continuously call random numbers until they find someone who requested or needs the service they're pretending to offer.
- Tailgating is when an attacker seeks entry to a restricted area of the internet that lacks proper authentication. The attacker can simply walk in behind a person who is authorised to access the area. This is also known as “piggybacking”.
How to protect yourself against social engineering attacks:
- Limit what you share: Be aware of what you share in social media. The less you share about yourself, the smaller the target you are for a social engineering attack.
- Trust your instincts: Be suspicious of unsolicited phone calls, visits or email messages from unknown sources. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organisation online and contact them via their official website, email, or telephone number – not what was provided in the message.
- Verify individual’s identities: Try to verify an individual’s claim to be from a legitimate organisation. Cyber-criminals steal organisation and company identities, including email addresses, logos, and URLs that are similar to the links they're trying to imitate.
- Protect your Personal Identity Information (PII): Do not reveal Personal Identity Information (PII) or any financial information in email or through call. No legitimate company or organisation will ask for your username, password or other personal information via email, phone, or text.
- Double verification of accounts: Double check the sender's email address. Any correspondence from an organisation should come from an organisational email address.
- Trust nothing, question everything: Question everything that you do over internet.
Support and resources
Please keep yourself safe from such fraudulent activity and be wary of offers that seem too good to be true. The Australian Government provides cyber-safety resources and advice on their eSafety website, the ScamWatch website and the Stay Smart Online page.
If you have been a victim of cyber-crime, you can make a report to police through the ReportCyber portal.