Social engineering

Social engineering is a tactic cyber criminals use to deceive individuals or groups by manipulating and influencing them to gain control over a computer system.

The primary motive of the hacker is to steal personal and financial information. Using psychological manipulation to build trust, they trick users into making security mistakes or divulging sensitive information.

Social engineering attacks can happen anywhere there is human interaction. They can happen to anyone, and attacks can come in many different forms.

The good news is that social engineering can be prevented by remaining alert to the signs and acting straight away to block or remove potential threats.

What information do cyber criminals want?

There are many reasons scammers want your information, but the prime motive is to gain something of monetary value. They may target:

• Credit card details - Some target individuals to steal financial information and credit card details
• Identity theft - others seek information to allow them to commit identity theft to extract money.
• Trade Secrets - Some target organisations to steal trade secrets or customer data. Data can be sold to the highest bidder.
• To disrupt or damage – scammers may wish to disrupt or damage a computer system with ransomware and demand money to remove it.

How can scammers access my personal information?

Cybercriminals may use information from previous data breaches, social media, and the internet when searching for potential victims. They may impersonate:

• someone in a position of power – Your boss or superior at work
• a co-worker – someone you currently work with
• someone from a trusted organisation – Government department or financial institution.

The perpetrator attacks when you respond with information that enables them to find entry points and weak security protocols.

Phishing Emails

Phishing/Baiting or SPAM are unsolicited emails or messenger app messages sent to multiple people (untargeted) asking for personal or sensitive information.

Attachments – Phishing emails usually contain attachments or links to an external website. The emails or messages will encourage you to open an attachment or click on their link. If the offer is too good to be true, it usually is!

Links - included links can take you to malicious websites that often masquerade as legitimate sites.

Ransomware - attachments can contain Ransomware which is a type of Malware damaging to your computer and your privacy.

Requests for personal details - just remember that it is unlikely that your financial institution and other large organisations (such as Amazon, PayPal, Google, Apple, and Facebook) would send you a link and ask you to enter your personal or financial details using email.

Spear Phishing - a more sophisticated way of targeting victims. The perpetrator will pose as someone known to and trusted by the victim. They target specific individuals or their position.

If you think you may be the victim of phishing/baiting or spear phishing, it is always best to contact the sender directly to confirm authenticity or contact IT. If it doesn’t look or feel right, it probably isn’t.

Vishing

Vishing is another form of Phishing. Instead of bulk email or messages, the perpetrator, who appears to be from a trusted source, will contact you by phone.

The scammer will call your number and use social engineering tactics to trick you into imparting personal information, including bank passwords, credit card details, and other personal information.

Vishing callers can place hundreds of calls at a time using voice-over-internet protocol (VoIP) technology and are able to create a caller ID, so it can appear to be from a bank or a government department, for example.

You may be the recipient of a vishing call if:

• The caller asks you to confirm your personal information, including your date of birth.
• The caller invokes a sense of urgency and uses threats of arrest or fines
• When you answer, you are listening to a recorded message

What does IT do about Social Engineering and Email Security?

Mimecast SPAM filtering applies to all emails sent from external contacts to prevent phishing attacks on our system. Email attachments and URLs scanned and found to have any threats are quarantined.

Mimecast identifies these quarantined emails as suspicious and requires further action before being delivered to your inbox. Quarantined emails show in your inbox under Postmaster.

We take many steps and practices to filter out unwanted emails from our systems; however, some can still make it through. Think twice before opening or replying to these types of emails:

• personal requests for information or money
• the sender encourages you to click on links or attachments – hover over links to check legitimacy or do a Google search.
• Where there is a sense of urgency, such as “urgent action required!”
• Text contains poor grammar and spelling, or your name has been misspelled.
• There are no contact details, or the signature is generic
• The email comes from a person or company you haven’t contacted before
• The sender's name does not match the sending address, they are unknown, or you don’t usually receive emails from them.
• Appears to be from a known sender, but requests seem unusual (asking you to purchase an item or verify personal information)
• Talks about a virus warning
• a chain letter encouraging you to forward it to colleagues

What do I do if I click on a link?

If ever in doubt about an email you have received, please contact IT so they can verify its authenticity. If you think your email account or contact list is compromised, let your colleagues know to prevent further attacks or compromises to accounts.

Send the following details to your IT Service Desk

• Sender name or address
• Email service (iiNet, Telstra, Gmail)
• Email details
• Time opened
• If you have already reset your password