Social Engineering

What is social engineering?

Social engineering is a psychological attack where a cyber criminal tricks you into divulging confidential information or breaking normal security measures. Cybercriminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than finding out ways to hack your system.

Social engineering attack techniques

Social engineering attacks come in different forms and can be performed anywhere where human interaction is involved. Getting familiar with the types of social engineering techniques gives you a better chance of staying safe.

Phishing

Phishing is the leading type of social engineering attack. Attack vectors commonly used for phishing include email, SMS, social media and many more. Phishing aims to create a sense of urgency, curiosity and fear in the victim.

All phishing tactics follow the same pattern: ticking the target into clicking on malicious links that will take you to a website that may or may not impersonate a legitimate one, leading you to reveal sensitive information and injecting malware or viruses.

Tailgating

Tailgating is also known as “piggybacking”. In this type of attack the attacker seeks entry to a restricted area, where access is unattended or controlled by electronic access control, by simply following an authenticated individual into a restricted area.

Commonly attackers would impersonate a delivery driver and wait outside a building. When an authenticated individual gains security approval and opens the door, the attacker asks the individual to hold the door, thereby gaining access to the building.

Dumpster diving

“Dumpster diving” is an interesting attack that can produce an immense amount of information about an individual or company. It depends on human weakness and lack of security knowledge.

It is extremely surprising how much personal and sensitive information is thrown out without considering the impact it might have. It is important to protect yourself and consider how personal and sensitive information should be disposed, some methods could be burning, shredding or another way to ensure the information is no longer usable.

Don’t become a victim

Tips to remember:

- Slow down: think before you act. If the message conveys a sense of urgency or uses high-pressure sales tactics then investigate further using alternative methods

- Be skeptical: always question request for sensitive information

- Don’t let a link be in control of where you land: find the website yourself, hovering over links in email will show actual URL

- Trust but verify: don’t share information with people you do not know unless you can verify their identity

- Beware of any downloads: if you don’t know the sender personally and you are not expecting a file from them, then downloading anything could have a serious impact on you, organization or anyone else

- Limit public information: keep personal information you share online to a minimum

- No passwords over the phone: never share your password with anyone over the phone

 

If you have any questions or concerns about the content covered in our article then please do not hesitate to get on touch with us at grc@infosec.ox.ac.uk. You can also find more information in the related content section.