Reading time
10 minutes
What will you learn?
You will learn several important terms concerning the ways in which malicious parties try to steal your data or that of your organisation.
Summary
Social engineering is the collective term for all of the various methods by which malicious parties impersonate someone else both online and offline, with the aim of obtaining access to data, hacking into an account and stealing money or data, for example. In so doing, they target the weakest link in the security chain: human beings.
The online forms of social engineering are referred to as ‘phishing’, which can be subdivided into three different forms: large-scale attacks (phishing), attacks targeting a specific person (spear phishing) or attacks aimed at high-ranking members of an organisation (whaling). Many of these types of attacks can be prevented by taking a critical look at the sender, the use of language, links and the person behind the apparent sender in each message or request received. If things still go awry, you must inform the [insert department] of this immediately.
The world of hacking, phishing and whaling, often involves a game of cat and mouse. Security companies try to filter out fraudulent messages as much as possible and employees are on the alert to quickly identify attempts to steal data. And, at the same time, malicious parties keep trying to find new ways to get hold of business information. Take a look at this fine example of how online fraud works...
With ‘social engineering’, i.e. impersonating someone else, malicious parities try to infiltrate company systems in all sorts of different ways. No matter how strong our passwords are or how many files or data carriers we encrypt; we as human beings are the most vulnerable link across this entire chain.
It is a technique whereby hackers try to persuade you to give up data you would normally keep to yourself. It may also be that the person does not wish to target you directly, but wants to use you to further penetrate the organisation. So don't think: what use am I to them in this organisation? You could easily be a stepping stone on the way to gaining access to the entire email server of the organisation, as a result of malicious parties having been able to install a keylogger on your computer.
If we give away our password on a dubious website or accidentally open a file containing malware, there's not a single digital security feature out there that can protect us. These days, social engineering happens primarily via digital routes, such as text messages and emails containing questionable links and requests from ‘banks’ and ‘government agencies’. But this can also be done quite effectively with the more old-fashioned methods:
In this way, all of an organisation's data can become exposed and accessible to malicious parties within just a few minutes. In this module, we will get to work on the principle ‘Make sure you always know who you are dealing with’, as it applies to both the online and offline world. By carrying out a few simple checks of all incoming communication, you can easily prevent a lot of damage to both yourself and the organisation.
What is it?
Suppose you receive an official email from your bank, politely requesting that you click on a link and fill in your account number and password for verification purposes.
Of course you’ll do that, why wouldn't you? However, a short while later, it emerges that malicious parties have taken full control of your card and bank account. Ugh... Just take a look at how big these criminal 'phishing' organisations already are, as you can see below:
The term ‘phishing’ comes from ‘fishing’. Malicious parties request data about your bank, passport or driving licence via fake emails or text messages. They use this data to steal money or your identity from you. URL spoofing is often used in phishing scams. This refers to the practice of posing as the URL of a particular website, such as a bank, as a result of which the user thinks they are dealing with the real site, whereas the URL refers to the site of the malicious party.
How can you spot phishing?
Use your common sense. A bank would NEVER ask you via text message to fill in your password and/or citizen service number somewhere! The following are a few tell-tale signs which suggest that you might be dealing with a phishing attempt:
Use the checklist on this website to quickly determine whether a message is real or fake by answering a few simple questions.
So phishing concerns online forms of social engineering. But social engineering occurs offline, too. ‘Dumpster diving’, whereby malicious parties go through an organisation's rubbish in search of sensitive or personal data, is a well-known example of this. They may be able to use that data to pose as one of the organisation's employees or even to obtain online access to the organisation's networks. So you should always be really careful what you throw in the rubbish bin...
Spear phishing is a form of ‘phishing’, whereby malicious parties approach a particular individual within an organisation. As such, spear phishing is usually more difficult to recognise than ‘regular’ phishing attempts, since the message is often quite personal.
If you suspect spear phishing, it is always prudent to ask yourself whether or not you would expect to receive that particular message. For example, if you aren't expecting a delivery from DHL, then it doesn't make much sense to receive an email from them with a track & trace code in it. Strange requests from your manager, for instance, addressed to you in particular, are also a red flag.
If you suspect spear phishing, do not try and verify the sender via email, as it is very likely that your email will just be received by the malicious parties themselves. If you doubt the authenticity of a particular request, you should always phone the sender. That way you will quickly know for sure whether you are dealing with a real or fraudulent message.
Whaling is a specific form of phishing whereby malicious parties target high-ranking employees in an organisation, such as the director, financial director or an HR director who has access to personal data. A well-known example of this is CEO fraud, whereby malicious parties usually use email spoofing to persuade a CEO to approve large mala fide transactions, for example (‘spoofing’ refers to the forging of emails with a false sender address, as a result of which the email appears to come from a known address, such as that of a colleague).