We all wish we had a distant relative who is kind enough to share their vast wealth after reaching out through the internet. Sadly, this is very rarely the case.
These days, we’re used to receiving regular fraudulent messages from poor Uncle Jim in the US or the prince of a faraway land. We understand how these typo-riddled emails attempt to draw us in with big promises and ask for money to deliver on them.
However, threats against you and your business aren’t always this obvious to spot. These are carefully planned and often appear innocent at first, but soon after, the losses can add up. These types of threats are known as social engineering attacks, and this blog will look at how to spot them and how to keep yourself safe from them.
What is social engineering?
Social engineering is the practice of manipulating and exploiting people. It could involve your typical phishing emails, phone calls from someone claiming to be your bank or even a message on social media from a ‘friend’ in need.
Social engineering aims to exploit human behaviour to gain illicit access to your systems or accounts. Most of the time, you won’t even come face-to-face with the person launching this attack.
What impact has social engineering had on businesses?
We’ve mentioned in our previous blogs about the need to use strong passwords and multi-factor authentication (MFA), but these defences may be of little help if an attacker can convince you to hand over your sensitive information, passwords and logins. And this can happen to anyone. Uber, for example, recently suffered from a significant data breach started by a hacker messaging an employee on WhatsApp. The hacker claimed to be from IT and asked them to approve an MFA access request, allowing them to side-step the protections of MFA and access the internal systems that run Uber.
It’s not only Uber that has been affected by social engineering. In 2016, the Federation of Small Businesses identified that social engineering attacks cost UK small-business £5.26bn a year (around £3,000 per business). It shows that social engineering is an ever-present threat to everyone, not only big business.
The best way to prevent the danger of social engineering is by understanding how to recognise an attack and what to do to stop it in its tracks.
How do you recognise a social engineering attack?
At Mettle, we train our staff to recognise the signs of a social engineering attack. Improving our employee awareness is one of the many tools we use to ensure the security of our customers and their accounts. We recommend the following to recognise a social engineering attack:
Who has sent this message? You should always double-check and verify who is contacting you. Is the email coming from who you think it is, or are they using something that looks similar. For example, Mattle.co.uk instead of Mettle.co.uk (did you notice the ‘a’ instead of the ‘e’ in Mettle?)
Is the method of contact unusual? If the person contacting you is using an unusual method, like emailing instead of texting, you should take time to verify if it’s legitimate. For example, if your bank suddenly starts asking for account details via Instagram, you should be suspicious.
Are they claiming to be an authority? If they claim to be your bank, a solicitor, or even the police, you should automatically be suspicious. Take time to verify that the person contacting you is legitimate. You should also never enter any sensitive information into websites that are claiming to be your bank.
Are you being forced to make quick decisions? When an unexpected message arrives, or someone asks you to do something unusual, you should take a moment and slow down the conversation. Often, social engineering attacks put unnecessary urgency on you to force a quick decision.
Is the request unusual or unexpected? You should consider if the message is normal and expected. People won’t typically contact you randomly and start requesting sensitive information or asking you to make payments.
Are they trying to play on your emotions? Social engineering attacks sometimes make you panic, fearful, hopeful or curious. If a message is making you feel overly emotional, you should be cautious.
Have you verified the person or organisation? - If something feels off, verify the person contacting you is legitimate. Contact the person or organisation they claim to work for using a different communication channel. For example, you should use a publicly listed phone number or email address from their website. A legitimate person or organisation will always be happy for you to contact them back.
Remember, we can’t always rely on one of these questions to identify a potential social engineering attack. You should always ensure multiple, if not all, are answered correctly before trusting someone who has contacted you.
How do you report social engineering attacks?
Now we know how to identify a social engineering attack, we should know what to do to report it.
The National Cyber Security Centre (NCSC) is the best organisation to deal with these attacks. By reporting these attempts to the NCSC, they can safely tackle these threats for you and help protect others from falling victim.
Their website offers different methods for reporting these attempts, and advice if you’ve fallen victim to an attack. You can find out more here.
When it comes to social engineering, it’s always best to question where a message is coming from and why. If you need to ask to call back or to verify someone, it’s better to be safe than sorry.