The Dangers of Social Engineering

With computer OS’s and anti virus software becoming more secure and being update quicker, criminals are turning to other methods to obtain personal information or to compromise computers.

It’s called social engineering.

The criminal will try to obtain information by appearing to represent a legitimate company or organisation. They can either cold call their victim, taking the chance that they have a connection with the company or organisation they are pretending to be from, or they can use information obtained in other ways.
That’s why it’s a good idea to shred any a documents you discard, even if they don’t contain sensitive security information. Knowing what bank you are with will add to their legitimacy when they call you.
Emailing is a very cheap way to send large numbers of emails. Lists are available that contain harvested addresses. Only a small percentage need to reply for the exercise to be profitable.
Recently we have had an increase in the number of our customers reporting that they have had phone calls from people saying that BT/Microsoft/Apple have asked them to call regarding security problems detected on their computers. There is normally a spike in this activity if the general media has mentioned a new virus or security problem.
They will ask the customer to install a remote login software so they can connect and fix the problem. They then launch various applications such as terminal to try to check what other software is installed. Or they will try to download and install software. Then they will ask for passwords to do this, a few tricks will be employed to try and baffle the user into agreeing that this is all legit. Otherwise, they will say that the security problem has been detected and that they will only fix it for a fee.
Below are the two reasons why should not hand over your credit card details:

  • there is no problem to fix
  • you don’t know who you are giving the details to

The harvesting of information doesn’t have to be done over the phone or via email.

You could be stopped in the street and asked to donate to charity or, asked to take part in a survey. You will then hand over your contact and/or bank details. Later on a professional sounding person will call you, claiming that they are a representative of  your back and state your account numbers etc. which will then make them sound very legitimate.

Social engineering can extent to companies.

It can be very easy to call a company to ask general questions and thus obtain user names. Later on, someone will call back later and will mention those employee names that they harvested earlier which will lend the call a level of authenticity.
Even simply eavesdropping can be used to gain access to company systems, or lead to a more detailed information gathering. Even by wearing your ID badge and talking about your company in public you are tying the details you give to the company you work for.
The ways to reduce the risk are to take care what information you divulge and to whom. Even if information is not confidential. For instance, think about the online services that hold date of birth and employment or home address history. These sites can hold information that could provide valuable verification information. It’s not uncommon for a company to ask for a date of birth to verify your identity.

Recommended Preventative Steps

  • Verify to whom you are speaking to and call them back using the details you have.
  • Don’t wear your company ID badge out side of the office.

In short; be very suspicious of unsolicited phone calls and emails no matter how genuine they sound.