In the context of cyber security social engineering is the nefarious activity of manipulating people so they divulge confidential information to gain access to information, systems or buildings. Here, we focus on some of the different types of social engineering attacks, including phishing, baiting, tailgating and piggybacking. You’ll find a description of each type below, as well as information about what to look out for and what to do if you suspect you’ve been a victim of a social engineering attack.
What is a social engineering attack?
A social engineering attack is when an attacker uses human interaction (social skills) to obtain or compromise information about an organisation or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.
However, by asking questions, he or she may be able to piece together enough information to infiltrate an organisation’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organisation and rely on the information from the first source to add to his or her credibility.
Types of social engineering attacks:
Phishing is one of the most common social engineering attacks and executed via email, phone call or texts.
What to look out for?
A request for personal information such as your driver’s license, medicare number or bank or financial information. Official communications from bank, utilities or telecommuting won’t request personal information from you in the form of an email.
The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install applications. Normal emails won’t ask you to do this.
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
The greeting on the message itself doesn’t personally address you. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious.
What to do if you suspect you’ve been phished:
If you’ve received a suspected phishing email to your personal email address, you can report it to scam watch website (https://www.scamwatch.gov.au/report-a-scam) and / or contact the company directly. Instructions on how to report the phishing email can be found on the respective company websites.
Baiting is when someone entices with money, a coupon or a prize or a threat. These can be delivered via email, text or popups on your browser.
What to look out for?
Unsolicited text, email, browser popup that says you’ve won a prize and to click on a link or provide your personal information
Tailgating or Piggybacking
Tailgating and piggybacking is when someone is following close behind you to gain access to the office or a restricted area. They could be following closely behind you at the turnstile so they can pass through without using a pass.
What to look out for?
People following closely behind you to access a restricted area and don’t have their own passes
How do you avoid being a victim?
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees of your company or other internal information. If an unknown individual claims to be from a legitimate organisation, try to verify his or her identity directly with the company through the switchboard, not through a direct line.
- Do not provide personal information or information about your organisation, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Do not send sensitive information over the internet before checking a website’s security.
- Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with “https”—an indication that sites are secure—rather than “http.”
- Look for a closed padlock icon—a sign your information will be encrypted.
- Do not click on links in text messages as this could inadvertently install malware which could compromise your device.
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use the contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from the Types of scams | Scamwatch.
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding Firewalls for Home and Small Office Use, Protecting Against Malicious Code, and Reducing Spam for more information.)
- Take advantage of any anti-phishing features offered by your email client and web browser.
- Enforce multi-factor authentication (MFA). (See Supplementing Passwords for more information).
- Be mindful of people following closely behind you to access a restricted area who don’t have a pass. If in doubt always ask who they are there to see and follow up with their contact, do not let them into the office or the restricted area.
What do you do if you think you are a victim of a social engineering attack?
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account;
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future
Australian Cyber Security Centre information on different types of phishing and how to protect yourself and your family and friends from phishing scams
Hackable Me podcast – Stories of phishing scams during COVID19
Scamwatch – Details types of scams that have been reported and also where you can report a scam
Have I Been Pwned – This site will report if you’re email address has been compromised as part of a data breach, which ones and what has data has been exposed