How to protect yourself from social engineering

When you hear the word 'cybercrime', you probably think of a hacker behind a computer screen. The reality is often less high-tech. Many attacks start with human misleading, aka social engineering.

Social engineering means social manipulation: internet criminals make use of human characteristics, such as fear, greed, curiosity, trust, and ignorance. For example, fraudsters may tempt you to share private or confidential data by saying you need to do this to deblock an account. What types of social engineering are there, and how do you protect yourself from them?

Physical social engineering

There are two types of social engineering: physical and digital. Physical social engineering takes place on location. The aim of the criminal or hacker is to steal important information, which they can use later in a digital attack. The main types of physical engineering are:

Going through your trash

Criminals will sift through your wastebins, looking for company data such as letters or copied documents. This technique is known as ‘dumpster diving’. They use their findings to be able to tell a plausible story when they contact you by phone, for instance.

Carefully destroy your information

Be aware of the information you discard, and how. Even a document that seems harmless, like a call sheet or a job description, may be of use to a criminal in a targeted attack. Use a paper shredder or a locked container.

Contaminated USB stick

You find a USB stick, and you wonder what is on it. Do not give in to that curiosity. Hackers intentionally leave USB devices lying around containing malware. The minute you plug in the device, the malware automatically installs itself on your computer. This gives the criminal access to your internal computer systems or allows them to take your systems hostage with ransomware.

Protect your devices and make backups

Protect your devices and computer network with antivirus software. Make regular backups of your computer files and keep your software up to date.

Video

For English subtitels to the video, click the settings wheel, click 'ondertiteling' and select English.

Impersonation

Impersonation means a criminal pretends to be someone you know to mislead you. For example, they pretend to be a repair person, reporting to reception for a repair job. Or they pretend to be a service engineer, here to service your wi-fi network. Once inside, this engineer will be behind a computer in your company, gaining access to your sensitive company data.

Register visitor details

Never let visitors simply enter your premises. Register their details, and always ask for a valid ID.

Shoulder surfing

You are travelling to work by train and decide to do some work on your laptop. You type in a password or work on a sensitive document. Be aware that a criminal can easily look over your shoulder to see what you are doing. They can use the information they see to later hack your computer system. This type of social engineering is called shoulder surfing.

Use a screen protector

Use a screen protector on your laptop and phone. It is a special layer of plastic or glass on your screen, that prevents others from seeing what you are doing.

Digital social engineering

Digital social engineering takes place in a digital location, for example, on the internet or on the phone. The cybercriminal uses the information they have found or stolen on location or on your social media to get to you.

Social media

Criminals find the personal information of their victims on social media. For example, they use the info in your LinkedIn profile to send you phishing messages.

Think about what you post

Always consider before posting something on social media. Secure your account by using a strong password and remain cautious: read the messages you receive carefully. Do not rashly accept an invitation from someone you do not know.

Phishing

Phishing is a type of digital fraud. Fraudsters mislead you by sending targeted fake emails. The emails appear to be messages from organisations you know, and, often, trust. Government organisations or banks, for example. Criminals try to get your login details, credit card information, pin code, or other personal information. Phishing criminals also use other techniques: texts, WhatsApp messages, or QR codes. 

Think twice before you click

Never click a link or open an attachment if you are not certain you can trust the email or message it is in. Links and attachments in fake emails often contain malware, which harms your computer.

Telephone fraud and CEO fraud

Telephone fraud is a form of embezzlement where a so-called helpdesk or bank calls you on the phone.

Install some software, now, please

You receive a call from someone who pretends to be a helpdesk employee for a software company. There is a problem inside your software, and this could be dangerous. The fake employee wants to solve it asap and asks you to install some software they will send you. But when you do, it turns out to be malware, giving criminals access to your computer system. This is called telephone helpdesk fraud.

Transfer money asap

An impostor can also pose as a bank employee on the phone. They tell you they are seeing a lot of suspicious activity on your account. Your account has been hacked! The criminal then tells you to transfer your money as quickly as possible to a 'safe account' or a 'vault account'. They even offer to help you transfer the money. In reality, you are transferring your money directly into the criminal's bank account.

CEO fraud

CEO fraud is a type of fraud where an employee receives an order, apparently from the manager or CEO of the company, to transfer money into a certain account. The request does not come from the CEO, however: it is a cybercriminal who pretends to be a manager. The money goes to their bank account. To commit CEO fraud, criminals often use email spoofing. This is a technique that allows them to send an email that appears to come from a different address. In the case of CEO fraud, the email appears to have been sent by the manager. Because the employee recognises the email address of their manager, they are inclined to do as they are asked.

Do not respond to pressure

Do not trust anybody at first glance, and do not give in to pressure. Attackers use urgency to put you under time pressure. Do not fall for this trick, stay calm, think rationally, and take well-considered decisions.

Has your business been attacked using social engineering? We would like to get in touch. Share your experience through kvk.cyber@kvk.nl.