As part of our Cyber Security awareness campaign, we’re covering a new topic each month to help boost your knowledge and keep you and the University safe and secure.    

This month we discuss ‘social engineering’ and how you can stop it happening to you. 

What is social engineering? 

Social engineering involves using emotional manipulation and deception to conduct a cyberattack. It’s generally easier to trick people into making mistakes than it is to compromise security systems. Social engineering attacks can take many forms, and some are more sophisticated than others.  

What methods do attackers use? 

• Phishing – e.g. an email purportedly from a bank wanting its customers to 'confirm' their security information and directing them to a fake site where their login credentials will be recorded 
  
  
• Vishing and Smishing (variants of phishing) – ‘voice fishing' means simply phoning up and asking for data e.g. a criminal may pose as an IT helpdesk colleague asking for login information. Smishing uses SMS messages instead to try and obtain this information. 
  
  
• Fake social media profiles and websites - many attacks make victims believe they are getting something in return for the data or access that they provide e.g.  offering to help computer users solve an urgent security problem with an update that turns out to be bogus. 
  
  
• Impersonating a trustworthy figure e.g. an advert which appears to feature Martin Lewis from Money Saving Expert, when in fact he never endorses things in this way. 

A real-life example 

This month The Guardian reported that a support company that operates Marks & Spencer’s IT helpdesk may have been used by cybercriminals to gain access to systems at the retailer, which is dealing with a major hack. 

M&S said that hackers had gained access to its systems through one of its contractors. 

The criminals used social engineering techniques, posing as a staff member to get a helpdesk to share passwords. The retailer has been attempting to recover from the attack for more than a month and said it could lose £300m in profit. 

What can I do to keep myself safe?  

• Check the source 
  Many people don't think twice about volunteering information if it seems like it’s being requested by an authority figure. But you are entitled to take a moment to think about where the communication is coming from. Don't trust it blindly. 
  
  Check the email header, hover over a hyperlink to see where the link goes, look out for typos in emails that shouldn’t have them. If in doubt, go to the official website and get in contact with a representative of the organisation. 
  
  
• What do they know? 
  Does the source not have information you'd expect them to have, such as your full name, etc.? If a bank is phoning you, they should have that data and they will always ask security questions before allowing you to make changes to your account. If they don’t, then be wary. 
  
  
• Break the loop 
  Social engineering often depends on a sense of urgency. So just take a moment to ring the official number or go through the genuine website, rather than giving data out on the phone or clicking on a link.
  
  Use a different method of communication to check out the source's credibility. For instance, if you get an email from a friend asking you to wire money, call them on a known number to verify whether it’s really them. 
  
  
• Think about your digital footprint 
  Sharing lots of personal information online can help attackers. If you have an online CV, does it contain your address, phone number and date of birth - all useful information for anyone planning a social engineering attack. 
  
  Many banks have 'name of your first pet' as a possible security question – but have you shared this on social media? Changing your settings to 'friends only' can help reduce vulnerability. 

How to learn more

Each month, we’re releasing a matching bitesize training via Proofpoint, our online learning platform, which is emailed to you. This month’s training arrived in your inbox on Tuesday 20 May and you have until Friday 13 June to complete it.   
 
Sources: Kapersky; The Guardian