Detection & prevention
Social engineering is the art of manipulating people so they give up confidential information!
There are lots of different forms of social engineering. You need to know about four in particular.
Blagging or pretexting is the act of creating and using an invented scenario, to engage a targeted victim in a manner that increases the chance the victim will divulge information, or perform actions, that would be unlikely in ordinary circumstances.
For example, a blagger might find some information about you using social media, and use this to create a fake scenario. Say you wrote a post on Twitter complaining about the service in your local bank branch; the blaggers could then phone you up pretending to be from your bank saying that there has been some unusual activity on the account, and they need to confirm the details before they are able to unfreeze it. They have your name, location and date of birth from social media already so it’s easy to believe them, but all it now takes is for you to ‘confirm’ your address, bank account and sort code, and they have all your banking details.
To try and prevent being a victim of blagging, it’s important not to give out personal information - particularly in a public place. If a company contacts you, they should be the ones confirming details to you so you can prove who they are. If they can’t, or you aren’t sure, then you should contact the company directly yourself to check they are who they say they are.
Pharming is a cyber attack intended to redirect a website’s traffic to another, fake site. This is done by either changing the host files on the victim’s computer, or by affecting the _DNS __system which redirects _web-traffic.
Unlike with phishing and blagging, you may never actually receive information from the cyber criminals, but instead, you try to do the sensible thing by going to the website directly, so you type in the address www…..com, hit enter and a page loads. However, this isn’t actually what you are meant to be on, and instead you have been sent to the wrong place without knowing it.
To try and avoid becoming a victim to pharming, there are a few things you can do. For example, make sure that you use a trusted Internet Service Provider who works to remove ‘pharmed’ websites. Also, double check all spelling - particularly of the URL. Common errors might be a triple letter instead of a double, or even a .co.uk vs a .com. However, the easiest way to check is that the website displays a padlock in the web browser address bar, and makes use of the HTTPS protocol whenever you are asked to enter personal information. No padlock or HTTPS, then it’s likely to be a pharmed website (or one with poor security that you shouldn’t be trusting anyway!).
Phishing is a technique of fraudulently obtaining private information, often using email or SMS. The key difference between phishing and blagging, is that blagging is targeted towards one individual, whilst phishing is broader and hopes to get someone to bite.
The classic phishing scam is that of the foreign prince who is willing to transfer you millions of dollars if you simply hand over your bank details to him. Many people now are surprised that anyone falls for it, but phishing scams are becoming more and more sophisticated, making use of specific companies such as Amazon, and mimicking their branding. A common phishing scam currently is the use of order or payment confirmations, where a fake email is sent looking like it is from a real company. They then ask you to click on a link which takes you to a real-looking website where you need to enter your username and password.
When trying to avoid the bait, you should make sure that you use common sense when responding to emails. Phishing emails may contain spelling errors or vague/unfamiliar information. Many will also make use of fake addresses masquerading at the real thing. So always check who sent the email, and if in doubt search for the address online. The same goes for any URLs that you are asked to use. Once you click on the link, double check the address bar does take you to the site you expect, or even go directly to the site yourself and log in there. Never click on attachments or links from strange addresses either, and as with blagging, if in doubt, contact the company directly. Many companies now have a way of reporting phishing scams too.
Shouldering or shoulder-surfing__ is observing a person’s private information over their shoulder eg cashpoint machine __PIN numbers. This may be done in-person or via a small camera hidden nearby.
To avoid being a victim of this, try and avoid entering personal information into any devices in public - particularly bank details. Also make use of privacy screens which restrict the range of view of the screen. Shielding the PIN or information is also important, and just generally looking around to see if there is anything suspicious.