Home » Safe Use of Social Media » Social Engineering

Social Engineering

Social Engineering

Social engineering is a term that refers to manipulating or tricking someone into sharing information. It’s very popular, because it’s usually much easier to fool someone into handing over their password than it is to hack their password (unless the password is really weak). Social engineering is generally highly convincing, sometimes made more believable by snippets of information which the fraudsters already have about you.

Once a hacker has access to your accounts (made easier if all your accounts are protected with the same or similar passwords) they can steal your identity. In other words they can impersonate you, sending emails to people in your contacts, or leaving messages ‘from you’ on their social media pages. Thus not only are you exposed to malware, fraud etc, but your contacts too.

Social engineering is generally highly convincing, sometimes made more believable by snippets of information which the fraudsters already have about you.

They have this information, for example by:
  • Hacking into the account of someone who has your details, including companies, social media sites etc
  • Enticing you to enter your details on a fraudulent website. (In particular there are no authentic sites offering free iphones or other exciting prizes)
  • Hacking into legitimate websites to gather users’ details.
  • Buying email lists from other spammers.
  • Inviting people to click through to fraudulent websites posing as spam email cancellation services.
  • From names/addresses in the cc line, or in the body of emails which have been forwarded and the previous participants have not been deleted.

In other words you can be hacked even if you practice caution and so must be quick to respond if there are signs that this has happened.

Tips to Avoid Social Engineering Attacks
  • Never reveal personal or financial data including usernames, passwords, PINs, or ID numbers.
  • Think before you click. Hackers create a sense of urgency to make you act first and think later. When you get a highly urgent message, take a moment to be sure this is from who it’s supposed to be. The best way is to find another way to contact the person or organisation to confirm the message. If you receive an email or what’sapp message, trying calling the person over the phone instead (if it’s an organisation and you don’t know the number, google it; don’t call a number a hacker suggests). Better safe than sorry!
  • Research the source. If you’re sent a link to a website, ignore it. Instead google the company and go to their website itself. That way there is less risk of being misdirected to a copycat website.
  • Delete any request for personal information or passwords. A bank or other reputable organisation will never ask you for your password via email or phone call.
  • Do not open email attachments click on links in emails from unknown sources.
  • Recognise threats of financial issues or offers that seem too good to be true, for what they really are. If you receive an email claiming to be from a lottery, or a dead relative, the millionth person to click on their site, or thousand person to have to have shopped with them that month – ignore it. In order to give you your ‘winnings’ you have to provide bank details they can send your winnings to. Or they may ask you for ID so they can prove who you are.
  • Bargains may also be suspect. Be careful of unsolicited emails with great offers containing an urgent offer end date (for example “Buy now and get 50% off”).
  • A scam may also show up as an amazingly great deal on classified sites, auction sites, etc.. The seller risks might even have a good rating (as part of a well planned scheme). Those who take the bait risk getting nothing in return for their money, or being infected with malicious software and having their own contacts exploited.
  • Do not attach external drives or USB devices into your computer if you are not certain of the source. They may contain malware.
  • Do not send emails to people with lots of people in copy. Better use ‘BCC’ (blind copy) box instead. That way if you’re hacked, these other emails won’t fall into the hands of the hacker.
  • Even if a post or tweet seems to come from someone you trust, their account may have been hacked or spoofed. If in doubt contact them but by some other means to check if they sent it.