October 2021 is Cyber Awareness Month. Do your Part #BeCyberSmart
In the context of cyber security social engineering is the nefarious activity of manipulating people so they divulge confidential information to gain access to information, systems or buildings. Here, we focus on some of the different types of social engineering attacks, including phishing, baiting, tailgating and piggybacking. You’ll find a description of each type below, as well as information about what to look out for and what to do if you suspect you’ve been a victim of a social engineering attack.
A social engineering attack is when an attacker uses human interaction (social skills) to obtain or compromise information about an organisation or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.
However, by asking questions, he or she may be able to piece together enough information to infiltrate an organisation’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organisation and rely on the information from the first source to add to his or her credibility.
Phishing is one of the most common social engineering attacks and executed via email, phone call or texts.
What to look out for?
A request for personal information such as your driver’s license, medicare number or bank or financial information. Official communications from bank, utilities or telecommuting won’t request personal information from you in the form of an email.
The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install applications. Normal emails won’t ask you to do this.
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
The greeting on the message itself doesn’t personally address you. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious.
What to do if you suspect you’ve been phished:
If you’ve received a suspected phishing email to your personal email address, you can report it to scam watch website (https://www.scamwatch.gov.au/report-a-scam) and / or contact the company directly. Instructions on how to report the phishing email can be found on the respective company websites.
Baiting is when someone entices with money, a coupon or a prize or a threat. These can be delivered via email, text or popups on your browser.
What to look out for?
Unsolicited text, email, browser popup that says you’ve won a prize and to click on a link or provide your personal information
Tailgating and piggybacking is when someone is following close behind you to gain access to the office or a restricted area. They could be following closely behind you at the turnstile so they can pass through without using a pass.
People following closely behind you to access a restricted area and don’t have their own passes
Australian Cyber Security Centre information on different types of phishing and how to protect yourself and your family and friends from phishing scams
Hackable Me podcast – Stories of phishing scams during COVID19
Scamwatch – Details types of scams that have been reported and also where you can report a scam
Have I Been Pwned – This site will report if you’re email address has been compromised as part of a data breach, which ones and what has data has been exposed