In the digital world, whenever we click on something and reply to some request for information, we are at every suitable opportunity vulnerable to be misled and defrauded. Human nature is trusting, compliant, and curious, as well as desiring more of something and all it requires is a suitable moment and a confidence raising enquirer.
What is social engineering all about?
When someone attempts to affect another person into carrying out something that is contrary to the person’s own interest, then social engineering is the issue. In the digital world persons are manipulated into being providers of information and through phishing they inadvertently hand over personal or organisational confidential information.
Persons are vulnerable to social engineering in particular because they do not expect to become targets of attacks.
The hustle and bustle of one’s daily life combined with a lack of knowledge are the perfect situation to launch criminal intentions. The false sense of security lures one into not realising the sensitivity of the information one is inadvertently handing over.
What methods do the criminals use in their cyber-attacks?
A prime example of a typical attack is a mass email attack (phishing) or a direct attack at an individual or organisation (spear phishing). Prior to these attacks, the target has been thoroughly researched from a variety of sources. The attackers are highly talented in utilising personal and organisational background information, as well as using information about motives behind people’s activities and existing operational models.
The social engineers often appear as persons with authority or they are from an official body and at managerial level. The victim can be talked into carrying out a particular task or service. The requests can be related to passwords and user IDs in a system. They can be in the form of a request for update or invoice requests for urgent payment of invoices of a confidential matter. Usual tactics are appeals, threats, scares or actually making the persons believe in the importance of taking the unique opportunity given. Another tactic is to appeal to the sensitive nature of the person with a fictitious request for aid or help.
How can one protect oneself from these types of attacks?
A higher level of awareness and knowledge are beneficial to protecting oneself from the traps of the digital world. Responsible service providers never use email links to request for or enquire about their customers’ individual IDs, passwords or other confidential information. When responding to changes in services, one must always use the service provider’s own site with strong authentication. Whenever a contact is in the slightest suspicious, then it is responsible to evaluate the quality of the message with emphasis on the applicable type of language used and the sender. Whenever there is a request for money transfer from a known person, then it is good practice to confirm the request personally by phone. In the case of any abnormal requests for action or demands, one should always stop, evaluate the request and seek further clarification.
This text has been created as part of #OleTietoinen (Be aware) awareness campaign which aims at strengthening national cyber knowhow. The campaign is the work of specialists of JAMK University of Applied Sciences’ CYBERDI project and the specialists at Police University College.
The expansion of security in the digital world as part of the objective of#OleTietoinen (Be aware) campaign will continue till the end of 2021.
About CYBERDI in finnish: cyberdi.fi
Specialist/ Project manager of CYBERDI project
JAMK University of Applied Sciences, The Institute of Information Technology