Reading time
3 minutes
Summary
This module is about social engineering, a collective term for all of the ways in which malicious parties try both online and offline to steal information from you which you normally would not hand over to others. This includes passwords, access codes and files, as well as information related to your connection and finances. Malicious parties ‘engineer’ themselves socially, which simply means that they pose as something or someone else.
The simplest example is the online contest of which everyone has been the winner at one time or another. You were the millionth visitor to a website, you just received the highest score on that ridiculously easy online quiz, etc. A link immediately appears on your screen which you must click on within one minute in order to claim your special prize. And before you know it, you are on a fraudulent website, filling in your email address, bank details, etc...
With social engineering, human beings themselves are the weakest link. As long as there are circumstances under which we will still give others access to our details (whether intentionally or not), no security feature will ever be able to protect us.
Social engineering happens in all kinds of ways, ranging from a Microsoft ‘employee’ who tries to gain access to your computer by telephone or a malicious party who recovers sensitive information from the office rubbish bin to CEO fraud, a type of email scam whereby the victims are fooled into transferring large sums of money to the cybercriminal.
So both offline and online forms of social engineering exist. The online forms are referred to as ‘phishing’, which can be subdivided into three different types:
1. ‘Normal’ phishing, whereby many people receive fake messages via email, WhatsApp or text message at the same time.
2. Spear phishing, whereby a highly personalised fake message is sent to a specific person or business.
3. Whaling, a type of cyberattack targeting high-ranking individuals in an organisation, in particular.
In order to recognise such messages, you must always start by asking yourself whether you trust the message at all. Is the sender peculiar, were you surprised to receive such a message in the first place, does it contain a lot of grammatical or spelling errors or does the message suddenly and unexpectedly put you under considerable pressure? If so, then that is an immediate red flag. In this module, we will give you the concrete tools that will enable you to check relatively easily whether a message is legitimate or fraudulent.
But beware: social engineering occurs offline, too. At open education institutions, in particular, anyone can easily enter the building. Has the door been left unlocked, is the cupboard open, has the whiteboard been left unerased or did you simply allow the cute electrician into your room without asking for a valid form of ID? Then the consequences can be just as unpleasant for you and the organisation as if you fall victim to a digital phishing attack.
This does not mean you should now automatically mistrust everything and everyone around you. You should, however, always pay attention to where a message has come from. You are better off taking action in the form of more frequently double-checking a message or a messenger, than proceeding to click on that one particular link...
We will begin each module with a short quiz so you can find out what you already know about the various subjects.
Good luck with this second module!