Social Engineering poised to dominate the year ahead

With the internet and mobile devices playing an increasingly central role in our everyday lives, there are more and more opportunities for cybercriminals to access sensitive personal and business information via these communication platforms.

While cybercrime comes in many forms, malicious social engineering attacks are a key security threat faced by individuals and businesses. These types of attacks are able to be performed by just about anyone, as it is much easier to obtain personal information via manipulative tactics than try to develop strategies for hacking software.

Crimes of this nature rely on exploiting peoples’ good will and sense of trust, with fraudsters lulling victims into a false sense of security by posing as a trustworthy source. Once the trust has been established, they then coerce someone into disclosing personal information or opening up email attachments that are infected with malicious software.

There are a number of common social engineering attacks that users should look out for, including:

Phishing: This type of social engineering uses email as its mode of attack, with criminals sending out an email to their victim from a seemingly legitimate organisation, such as a bank or charity, asking to confirm account information, collect a prize, or disclose passwords and financial details. Once the requested information has been obtained, they then legitimately access accounts or private and sensitive information, sometimes secretly installing malicious software which will give them control over your computer. The financial sector is typically affected by phishing, however, attackers are widening their attacks to mobile phone and gaming platforms.

Email from a friend: This is where the criminal accesses a person’s email password (either through hacking or social engineering) and sends out deceitful emails, urgently requesting the user to click on a link or a download. This allows the scammer to infect the system with malware, access the device, and spread the virus to the entire contacts list, in turn spreading it to others in their contact list. Another strategy commonly employed in this type of hack is the creation of a false email from a friend, stating an elaborate story that they have been stranded somewhere or robbed and urgently need financial assistance to get back home.

Baiting: This includes offering up something free or exclusive that the user wants, such as a free movie or music download, or in some cases a great deal on a holiday, real estate, auction site etc. The apparent seller crafts a ‘rating’ so that any doubts about their authenticity of the transaction are quickly dispelled. Once baited, the victim may find their computer infected with malicious software, may pay money for an item they never receive, or may find their bank account emptied out.

Scareware: This involves tricking a user into thinking their computer has been infected with malware and encouraging them to purchase or download fake antivirus protection, disguised in the form of potentially dangerous software.

There are thousands of methods to executing a social engineering attack, with the only limit being the offenders’ imagination. Cyberattacks, whether targeted at large businesses or individuals can counteract even the most well secured systems. The cost of recovery can be huge, not only from a financial point of few, but it can also cause irreparable damage to someone’s reputation.

To overcome advances in social engineering, the following tips can help individuals and businesses protect their ongoing security, including:

  • Strengthen safeguards.

This includes implementing more robust monitoring systems, adopting strong administration and user passwords, installing and regularly updating antivirus software, firewalls and spam filters and keeping an eye on both internal and external security breaches.

  • Think first, act later

Scammers rely on people acting first and thinking later, so often deliver their message with a sense of urgency, using sales tactics such as ‘This is a one-time offer only’ or ‘Sign up now for the chance of a lifetime’. Be suspicious of any unsolicited messages from an unknown source and research their products and services through their company website or contact them in person to confirm their identity and relationship to the company.

  • Don’t overshare

When using social media platforms, carefully consider what information you are sharing with the public, such as personal information about your organisation, photos, date of birth, address, holidays etc.

  • Increase employee awareness

This includes offering privacy training to staff, encouraging them to read terms and conditions when installing apps on their device, limiting downloads to trustworthy sources, and increasing security settings.

  • Be prepared

To determine the risks faced by a business, penetration tests can be carried out which essentially look for security weaknesses in the system, by simulating what a real cyber attacker would do. Preparing a risk management plan allows businesses to successfully identify, manage and control privacy and security issues in order to protect against malicious activity.

  • Don’t be fooled by offers of money from an unknown source

Very few people win the lottery when they actually buy a ticket, let alone from a foreign lottery or sweepstakes they’ve have never heard about. Receiving a lump sum of money from a long-lost uncle is also highly unlikely. Don’t let your lust for money overshadow your good judgement.

For more information about how to protect your personal and business information, you can visit www.staysmartonline.gov.au.