HackerSocial Engineering means to manipulate people into giving you their confidential information – typically a password or PIN number. The average loss per person caught by phishing and similar attacks is reported to be $4,187 and the average loss per company caught out is $42,544.


 In any security regime, people are usually the weakest link.  How many people do you know that have their passwords written down in an office drawer?

Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software.  It is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is an obvious one).

Common Methods for Social Engineering Attacks

1.      Email from someone you know. 

Criminals either hack an email account or spoof it (i.e. send emails that appear to be from someone you know). That email may be

·         an invitation to click a link for a funny cat video or a TV clip or anything but in fact it will download malware onto your computer

·         an attached file such as a movie or photo or document that contains malware and a prompt that you must open it

·         a request for a donation to some worthwhile cause but is a link to a fake website designed to get your financial information

·         a desperate plea for help and an involved story as to why he/she cannot go to the authorities and is out of money and had their credit cards stolen etc. Anything to get you to send them money.

2.     Phishing Emails and Texts.

There are hundreds of millions of these emails sent out each day with the scammers hoping to get responses from trusting people that are willing to give their confidential information.  The messages typically appear to come from a source that you would trust e.g. your bank or a government agency or a utility company.

Examples include:-

·         The Solution to a Problem. The message offers the answer to a medical problem or you need to verify your email account or read Facebook notifications or anything to get you to click that link.

·         The message may be a special offer accessible only for today or until the item is sold out or all given away or a free upgrade for your email account or a free APP and so on.

·         You have won something – a prize draw you didn’t enter or a national lottery or a Premium Bond or a prize giveaway by Facebook etc.

The list of these phishing scams is endless.

3.     Bait. 

The criminals know what attracts people and they setup fake websites, fake downloads of popular movies, music or software or bargain offers on desirable products. They the advertise using social media, emails and website adverts.

The victim thinks they are getting a bargain or something for nothing but are liable to just get malware infecting their computer.    If something looks too good to be true – it almost certainly is.

4.     A Response to a Query

The message is in the format of a reply to a question or query raised by you.

These messages are typically pretending to be from a large well-known company such as Microsoft or Apple or a utility company or the National Lottery etc.

The scammers reasoning is that people are more likely to read and reply to a message if they believe they initiated the contact and that the scammer is offering help to deal with a problem. This is probably true.

If you have never asked the question and don’t use the relevant product or service then you’ll probably just delete the message and assume it was sent in error.

But if you do use the product or service or would like to then you may be taken in

How to Protect Against Social Engineering

The basic answer is to use common sense. If something looks too good to be true then it’s likely to be a scam. If you appear to have won something but didn’t enter the lottery or whatever it was then cannot have won.   Don’t reply to people you don’t know and don’t click on an unknown link even if you think you know the person who appears to have sent it to you. Here are suggestions to help you avoid social engineering attacks.

·         Basic security – all devices and servers should have anti-virus but also anti-malware installed.

·         Use email filters to remove the most obvious malicious emails

·         Keep all devices fully up to date with latest security patches etc.

·         Any requests by email, message or phone call for confidential and/or financial information should be treated as suspect

·         Ensure everyone is trained to be aware of the threats and what to do in the case of doubt

·         Don’t download free music, software, movies etc. Only download when you have checked the validity of the item.  

Stay sharp.

The hacker is watching you