How aware are you when it comes to social engineering?

How aware are you when it comes to social engineering?

Cybercrime is huge; indeed, no other criminal activity is quite so lucrative, thus it is imperative that you prepare and protect both your business and your personal life to mitigate the inconvenience and the cost of an attack.

There are some basic hygiene factors that every business needs to have in place. Firstly, ensure that you have appropriate insurance cover and that you understand what this is and the terms and conditions. Secondly, cybersecurity training is essential at every level of the business from the boardroom to the factory floor, indeed the ICO guidelines now say that training for new employees must happen within 30 days of starting their employment (plus before they access client data) and that it’s repeated at least annually.

Any training program you undertake should include appropriate content exploring the many different strategies deployed by social engineers (one of the prevalent forms of attack).

Social Engineers trick and manipulate their victims to do something which is not in their best interests (giving away passwords, banking info or allowing access) using techniques which provide enough pieces of the jigsaw, that decisions are made using sub-conscious thinking, as opposed to rational, logical conscious thinking.

At ramsac we focus on five areas of social engineering.

The first is Phishing, and most people are familiar with the concept of this, it uses email activity to trick the target. There are multiple techniques and categories of phishing including Whaling (or CEO Crime) and MITM ‘man in the middle’ strikes.

Second is Vishing, this is voice solicitation, and the challenger will make a phone call pretending to be the bank, law enforcement, HMRC etc. Often spoofing the phone number they are calling from to make it look like a number you are expecting (even your own office number!).

Third is Smishing, this is like phishing but using SMS or Text messages to trick the target. The average UK adult receives 9 smishing attempts each month on average, pretending to be DPD, The Post Office, Amazon etc. This is tricky because unlike phishing you can’t however the mouse of a smishing link to see if the URL offers any clues.

Fourth is Qrishing, this method tricks someone by getting them to scan a QR Code, this problem increased no end during Covid as more people became used to scanning into a venue, the problem is that it’s easy to print a dodgy QR code and stick it over a legitimate one. When someone open the QR code they get taken to a website designed to cause digital harm.

Finally, we must discuss with our teams the problem of Impersonation. The Cyber Criminal can save a lot of time trying to break into sophisticated IT security by simply getting inside the targets office building. This might simply be by sending the target USB keys and getting them to do the work for them, however, dressing as a supplier and walking into a building is unfortunately too easy for many. The concept of hiding in plain sight has never been truer and wearing a high-viz jacket and carrying a clipboard opens far too many doors. Some criminals will pretend to be the company that change your sanitary waste bins, the question is, if someone appropriately dressed walked in to your reception with two waste bins under their arms, how many people in your organisation would stop to question, identify or talk to them?

It doesn’t matter who you are or what your business does, you will eventually be the victim of a cybersecurity attack, thinking that it won’t happen to you is simply naive. Please ensure that you give sufficient time to understand the risks, practice your defence and engage with experts to ensure that you, your business, family and loved ones stay as safe as possible.

Rob May is Managing Director of ramsac who have specialised in cybersecurity and strategic technology for the last 30 years. He is also a Speaker, Author, UK Ambassador for CyberSecurity with the IoD and on the Board of The Cyber Resilience Centre in the South East (a collaboration between Business, Academia and Law Enforcement).

Cyber Resilience Certification

Looking for more information on how the Cyber Resilience Certification can improve your cybersecurity protection for your organisation? Download our factsheet.

Related Posts

  • Understanding the dangers of ‘Permission Creep’

    Understanding the dangers of ‘Permission Creep’

    Cybersecurity

    This blog post explains what permission creep is, how it can expose sensitive data to unauthorised users, and what steps an organisation can take to prevent permission creep. [...]

    Read article

  • Using cybersecurity training to reduce an organisation’s risk of a cyberattack.

    Using cybersecurity training to reduce an organisation’s risk of a cyberattack.

    Cybersecurity

    Cybersecurity training is an important tool for organisations to prevent and mitigate cyberattacks, we explore the types of training available to organisations. [...]

    Read article

  • The risks of ChatGPT, and the Rise of AI.

    The risks of ChatGPT, and the Rise of AI.

    Cybersecurity

    Artificial intelligence (AI) is a game-changing technology in this blog we explore the risks and benefits of using AI-powered language models such as ChatGPT [...]

    Read article

  • How secure is MFA based on SMS and Voice calls?

    How secure is MFA based on SMS and Voice calls?

    Cybersecurity

    In this blog ramsac's cybersecurity expert Voke Augoye explores how secure Multi-factor authentication is when using SMS and voice calls. [...]

    Read article

  • Microsoft Office – High Severity Vulnerability

    Microsoft Office – High Severity Vulnerability

    Cybersecurity

    Earlier this month Microsoft announced there was a High Severity vulnerability affecting Microsoft Office products. In this blog we explain what the vulnerability is and how to protect against it. [...]

    Read article

  • EDR, MDR, XDR, SIEM, SOC – understanding the jargon in cybersecurity monitoring

    EDR, MDR, XDR, SIEM, SOC – understanding the jargon in cybersecurity monitoring

    Cybersecurity

    The cybersecurity product market is full of acronyms which can make it hard to determine what security monitoring services you need, and what benefits you get from them, this [...]

    Read article