Social engineering is a term that covers many hacking methods, and is a term often seen in the Cybersecurity landscape. In social engineering, the attacks rely on the person as a weakness, rather than system security or software. Also, it often uses people and communications to facilitate attacks. If you haven’t already read our introduction to cybersecurity post or need a refresher, click here.
This post will describe a range of social engineering methods and our top tips on how to avoid them.
Phishing
Phishing is a form of attack that uses email to trick a user into thinking that they have received a legitimate communication from either a company, or person, that they trust. Phishing can also occur as a text message and these are referred to as ‘smishing’.
A phishing email will look like it has come from a reputable organisation. This could be a bank, the government, an insurance company, etc.
Top things to do to check for phishing emails:
Check that the email address is genuine. Phishing emails often look reputable but the email address they come from may look weird. It could be a random assortment of letters and numbers or could have a different domain name to that that is associated with the company.
Check that any links in the email go to the domain that you would expect. You can hover over any hyperlinks and see where they go to, like this one. Now, as that one goes to this website we can see it is reputable as we would expect that. But if it goes somewhere odd, that’s a sign that it is a scam.
The language used in the email might be unusual. It may say ‘dear user’ or ‘dear valued customer’, or the grammar used in the email might be unusual. These are all ways to spot that the email might not be genuine.
There are also a number of organisations that will not usually contact you by telephone, text or email and if you receive an email from one of these companies it is most likely to be a scam email.
Blagging
Also known as pretexting, blagging is another social engineering technique that can utilise email, but instead of trying to create an email that looks like a reputable company, this type of attack tells the user a story that would make them want to sent their details or money over. This could be that a friend is in debt, or that there is a in investment scheme. Normally the attack will ask for some amount of money.
Top tips to avoid blagging / pretexting attacks:
The first one is to check for generic language such as ‘hi friend’ or ‘dear investor’. Additionally, the grammar used could once again be unusual.
The second thing to check is the domain name of the email address, for the same reasons as outlined above.
Do not give away any personal information in a public place (such as social media) as this can be used to create the stories that blaggers use.
Shouldering
This social engineering technique involves looking over an individual’s shoulder, to see data that the individual is entering into an interface. This could be usernames and passwords on computers, or PIN numbers in card machines. The attacker aims to take this data, and use it for their own nefarious means.
Top tips to avoid shouldering attacks:
Make sure that there is nobody standing near you when you enter sensitive information into an interface.
Make use of privacy screen protectors for mobile devices, which can be used to stop people from being able to look at data on your phone from either side of you.
Pharming
This social engineering technique involves redirecting a user from a legitimate website to a fake one. There are two ways this is achieved. The first one is changing the settings stored on a Domain Name Server (DNS) - basically the biggest address book of the internet, where all of the URLs and the locations that they refer to are stored. The second method, is by changing the host files on the victim’s computer. The fake website will ask for usernames and passwords, and by using these on the fake website, the attacker will have the user’s credentials to use on the actual website.
Top tips to avoid pharming attacks:
Double check the spelling of the URL of the website to ensure that it is legitimate. There might be a slight difference in the spelling of the URL to that which you would expect for that company.
Make sure you can see that the site uses HTTPS as it’s protocol. This means that the site is secure and any data that is processed is done in a secure manner. You can often see this in the address bar, and is incorporated at the start of the URL.