Companies of all sizes should be on constant alert as social engineering attempts continue to rise and become more subtle
Increasing activity in social engineering scams has prompted an internet safety and security information service to raise awareness of the dangers by releasing a series of informative videos offering advice and tips.
Get Safe Online, the government and private sector-backed body, has revealed that 23 percent people in the UK have received at least one cold call requesting personal or financial information, according to the Financial Fraud Action UK (FFA UK) organisation.
Beating the fraudsters
A type of confidence trick, social engineering is the use of deceit to manipulate or fool their targets into revealing private information. This has been done via phishing emails; fraudulent phone calls, known as vishing, asking for personal or financial information; or calls from fraudsters impersonating computer technical support agents.
Social engineering exploits human nature and plays on victims’ emotions such as protecting themselves, their family and finances, gaining something of advantage or willingness to please others. It is a factor in many types of fraud.
This is of particular importance to the channel and retail businesses where financial and technical details of server access may be routinely shared with partners. Fraudsters can easily obtain staff members names and company phone numbers, and the email address of any employee can often be deduced. Most companies use a formula for every email address, such as firstname.lastname@example.org, which means that even lowly or new employees can be approached to reveal the names of directors or technical staff who could, in turn, be approached for information.
Rather than dismissing failed attempts at cold calling or binning phishing emails, the information should be shared among staff to make everyone aware that the company is being targeted.
According to FFA UK research, in the first five months of this year alone, some of the UK’s main high street banks have reported losses of over £21 million from vishing attacks on their customers, with over 2,000 vishing attacks resulting in an average loss of over £10,000 per victim.
Tony Neate, chief executive of Get Safe Online, commented, “It’s important that the public are aware of what social engineering actually is, as there are so many types which can lead to the theft of your money or identity. It can be easy to fall prey to social engineering, as schemes can be elaborate and highly convincing, with approaches usually made by somebody you think you should trust or appears to be in authority. It’s not just individuals who are likely victims, it’s also businesses. We hope that by raising awareness of how to avoid becoming a victim of social engineering through our online videos and activity with our partners, we can help prevent it from happening to others.”
Detective superintendent Peter O’Doherty, head of the NFIB and Action Fraud, said, “The face of crime has significantly changed in recent years, with much of today’s offending being conducted not face-to-face but over the phone and through a computer. People need to be aware there are ruthless, calculating criminals using social engineering scams to obtain personal and financial information that makes them a profit and individuals and businesses victims of crime. This multi-media Get Safe Online campaign will shine a light on these practices and help the public know when they are being targeted and the best ways to protect themselves.”
Getsafeonline.org offers a number of tips on how to avoid becoming a victim of social engineering:
- Always be wary of people requesting confidential or personal information by whatever means, however convincing they may seem.
- Never reveal personal or financial data including usernames, passwords, PINs or other forms of ID.
- Be very careful that people or organisations to whom you are supplying payment card information are genuine, and then never reveal passwords. Remember that a bank or other reputable organisation will never ask you for your password via email or a phone call.
- If you receive a phone call requesting confidential information, verify it is authentic by asking for a full and correct spelling of the person’s name and a call back number.
- Check the number matches the contact number on the relevant website. Even then, the criminal may have used special software to display the authentic number.
- If you are asked by a caller to end the call and phone your bank or card provider, call the number on your bank statement or other document from your bank – or on the back of your card. However, be sure to use another phone from the one you received the call on to ensure that a fraudster is not on the line by having kept the call open. If you cannot access another phone, be sure to hang up for at least five minutes before you dial out, or call a friend (whose voice you recognise) before making another call.
- Do not open email attachments from unknown sources.
- Do not readily click on links in emails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email.
- Do not attach external storage devices or insert CD-ROMs/DVD-ROMs into your computer if you are not certain of the source, or just because you are curious about their contents.