Social Engineering

Social engineering is the route to many types of crime including fraud and identity theft. It refers to the act of manipulating or deceiving someone into certain actions including divulging personal or financial information … a kind of confidence trickery. It exploits elements of human nature such as fear of loss, being protective, wishing to be helpful, or obliging others. 

There is seemingly no limit to the elaborate lengths that fraudsters will go to in order to achieve their ends. Social engineering is designed to be highly convincing, with hoax approaches emulating normally trustworthy sources such as your bank, the police or a government department and often made more convincing by the presence of information already held about you or your business by the fraudster.

Examples of social engineering

  • Responding to a fraudulent email claiming to be from your company’s bank or credit card provider, a government department, a membership organisation or a website you buy from, directing you to follow a link to supply confidential details – typically a password, PIN or other information. This is known as phishing.
  • Supplying details to a fraudster who has phoned your company claiming to be from your bank or credit card provider or the police and inventing a problem. They ask for confirmation of confidential information in order to solve the problem. This is known as vishing. They may additionally despatch a ‘courier’ to collect payment cards or other records, known as courier fraud.
  • Receiving a phone call from somebody claiming to be a legitimate support agent for your computers or software, and telling you that you have a technical issue. They sound genuine, so you or a colleague gives them your login details – which can result in fraud or identity theft. Alternatively they are granted remote access to take over your computer or network, resulting in it being infected with malware. People claiming to be from ‘IT support’ in your business may request your or colleagues’ passwords in order to infiltrate company systems and data.
  • Picking up and inserting into computers USB sticks, memory cards, CD-ROM/DVD-ROMs or other storage medium that has been deliberately left lying around and contains malware. This is known as baiting.
  • Inadvertently granting a criminal physical access to computers, servers or mobile devices.

Avoid social engineering attacks

  • Never reveal confidential or financial company or customer data including usernames, passwords, PINs, or ID numbers.
  • Be very careful that people or organisations to whom you are supplying payment card information are genuine, and then never reveal passwords. Remember that a bank or other reputable organisation will never ask you for your password via email or phone call.
  • If you receive a phone call requesting confidential information, verify it is authentic by asking for a full and correct spelling of the person’s name and a call back number.
  • If you are asked by such a caller to cut off the call and phone your bank or card provider, call the number on your bank statement or other document from your bank – or on the back of your card – but not one given to you by the caller, nor the number you were called from.
  • Never open email attachments from unknown sources.
  • Never readily click on links in emails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email.
  • Do not attach external storage devices or insert CD-ROMs/DVD-ROMs into computers if their source is uncertain.