How aware are you when it comes to social engineering?

Posted on April 27, 2022 by Rob May

Cybercrime is huge; indeed, no other criminal activity is quite so lucrative, thus it is imperative that you prepare and protect both your business and your personal life to mitigate the inconvenience and the cost of an attack.

There are some basic hygiene factors that every business needs to have in place. Firstly, ensure that you have appropriate insurance cover and that you understand what this is and the terms and conditions. Secondly, cybersecurity training is essential at every level of the business from the boardroom to the factory floor, indeed the ICO guidelines now say that training for new employees must happen within 30 days of starting their employment (plus before they access client data) and that it’s repeated at least annually.

Any training program you undertake should include appropriate content exploring the many different strategies deployed by social engineers (one of the prevalent forms of attack).

Social Engineers trick and manipulate their victims to do something which is not in their best interests (giving away passwords, banking info or allowing access) using techniques which provide enough pieces of the jigsaw, that decisions are made using sub-conscious thinking, as opposed to rational, logical conscious thinking.

At ramsac we focus on five areas of social engineering.

The first is Phishing, and most people are familiar with the concept of this, it uses email activity to trick the target. There are multiple techniques and categories of phishing including Whaling (or CEO Crime) and MITM ‘man in the middle’ strikes.

Second is Vishing, this is voice solicitation, and the challenger will make a phone call pretending to be the bank, law enforcement, HMRC etc. Often spoofing the phone number they are calling from to make it look like a number you are expecting (even your own office number!).

Third is Smishing, this is like phishing but using SMS or Text messages to trick the target. The average UK adult receives 9 smishing attempts each month on average, pretending to be DPD, The Post Office, Amazon etc. This is tricky because unlike phishing you can’t however the mouse of a smishing link to see if the URL offers any clues.

Fourth is Qrishing, this method tricks someone by getting them to scan a QR Code, this problem increased no end during Covid as more people became used to scanning into a venue, the problem is that it’s easy to print a dodgy QR code and stick it over a legitimate one. When someone open the QR code they get taken to a website designed to cause digital harm.

Finally, we must discuss with our teams the problem of Impersonation. The Cyber Criminal can save a lot of time trying to break into sophisticated IT security by simply getting inside the targets office building. This might simply be by sending the target USB keys and getting them to do the work for them, however, dressing as a supplier and walking into a building is unfortunately too easy for many. The concept of hiding in plain sight has never been truer and wearing a high-viz jacket and carrying a clipboard opens far too many doors. Some criminals will pretend to be the company that change your sanitary waste bins, the question is, if someone appropriately dressed walked in to your reception with two waste bins under their arms, how many people in your organisation would stop to question, identify or talk to them?

It doesn’t matter who you are or what your business does, you will eventually be the victim of a cybersecurity attack, thinking that it won’t happen to you is simply naive. Please ensure that you give sufficient time to understand the risks, practice your defence and engage with experts to ensure that you, your business, family and loved ones stay as safe as possible.

Rob May is Managing Director of ramsac who have specialised in cybersecurity and strategic technology for the last 30 years. He is also a Speaker, Author, UK Ambassador for CyberSecurity with the IoD and on the Board of The Cyber Resilience Centre in the South East (a collaboration between Business, Academia and Law Enforcement).

Cyber Resilience Certification

Looking for more information on how the Cyber Resilience Certification can improve your cybersecurity protection for your organisation? Download our factsheet.

Download factsheet

Related Posts

  • Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK
    November 28th, 2023

    Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Cybersecurity

    In this blog, we'll explore the concept of the ICO Regulatory Sandbox and its objectives in the data protection landscape in the UK [...]

    Read article

  • What is a break glass account?
    October 27th, 2023

    What is a break glass account?

    Cybersecurity

    If you’re creating a business continuity plan, have you considered a break glass account? Learn what one is and how to create one here. [...]

    Read article

  • Cybersecurity vs cyber resilience – what is the difference?
    October 11th, 2023

    Cybersecurity vs cyber resilience – what is the difference?

    Cybersecurity

    What’s the difference between cybersecurity and cyber resilience, and how can you implement them? We cover this and more. [...]

    Read article

  • Celebrating 20 Years of Cybersecurity Awareness Month
    September 19th, 2023

    Celebrating 20 Years of Cybersecurity Awareness Month

    Cybersecurity

    October is Cybersecurity awareness month, follow us on LinkedIn or Twitter for daily tips on how you can protect your organisation against Cybercrime. [...]

    Read article

  • How much should businesses invest in cyber resilience? 
    September 11th, 2023

    How much should businesses invest in cyber resilience? 

    Cybersecurity

    In this blog we explore how much organisations should invest in cyber resilience to protect against cybercrime [...]

    Read article

  • The European Cyber Resilience Act explained – how it impacts your business
    September 5th, 2023

    The European Cyber Resilience Act explained – how it impacts your business

    Cybersecurity

    On the 15th of September 2022, the European Commission published its proposal for new regulation regarding cybersecurity requirements for products with digital elements (such as smart fridges, cameras, TVs [...]

    Read article