Gone are the days when the term phishing was associated with a leisurely Sunday afternoon activity and trees were the only victims of hacking. As we continue to make dramatic advancements in the digital and tech space, the threat of cybercriminals has grown significantly, and the methods used aren’t just limited to viruses and ransomware.

What is social engineering and how it is used in cyber-attacks?

When cybercriminals use social engineering tactics, they aim to psychologically manipulate their victims for their own gain. This often includes handing over sensitive information or transferring large amounts of money to an unknown account. These attacks can occur at any time, through text, email, phone calls and social media chat facilities.

What does a social engineering attack look like?

Social engineering attacks often appear to come from a trusted source such as a friend, relative or colleague. Or you may find they approach you as your banking, utility or broadband provider. The purpose of this impersonation is to gain your trust. 

Phishing

Most phishing attacks aim to obtain personal information from the victim. These are often opportunistic and use fear tactics based on what’s happening in the world at the time, such as the COVID-19 pandemic.  No two types of phishing attacks look the same so it’s important to remain constantly aware of this threat when working online.

Baiting

Very similar to phishing attacks, baiting uses the promise of free goods or services to encourage victims to hand over information. This tactic also takes advantage of our natural curiosity, asking us to click a link to uncover a mystery prize or access a piece of information.

Tailgating

Not all cyber-related attacks happen online. Tailgating attacks occur when a criminal attempts to access your office premises by tailgating an employee, playing on our instinct to be polite and hold the door open for the person behind us. Some criminals have even gone as far as to wear fake baby bumps to garner sympathy – because who would shut the door on a pregnant person?

Pretexting

Unlike phishing attacks which are usually conducted in mass, pretexting attacks try to build a believable scenario to establish trust before they try to obtain information. For example, you could receive an email from your CEO who states they’re about to enter an important meeting and need your password urgently to access a system. Or you may receive a call from your payroll team saying your payment didn’t go through this month and they need to check your account details. These types of attacks are designed to put pressure on the individual, so they act fast without careful consideration. 

How to recognise a social engineering attack

Cybercriminals are changing their methods all the time, so there’s no exact formula that makes up a social engineering attack – but there are red flags to look out for.

These include:

• Requesting information or money access
• Evoking a sense of urgency in the email
• Short and concise
• Asking you to donate to a charitable cause
• Asking you to verify information
• Responding to a question you did not ask
• Using fear tactics – threats or intimidation
• Offering you something too good to be true

How to protect yourself against a social engineering cyber attack 

When it comes to protecting yourself and your business against cybercrime, you need to remain vigilant and think before you click.

Training

Ensure that your staff are up to date with the latest cyber training, implementing measures to ensure it remains at the forefront of their minds. If you have a near miss, let people know about it.

Anti-virus software

While it doesn’t make you immune to a cyber-attack, it helps to create an extra barrier of defence with well-reputed anti-virus software. Look at setting your spam filters to high – although keep an eye on your junk mailbox to ensure nothing legitimate slips through the net!

Check the sender

Encourage your staff to always check the source if an email seems suspicious. As well as checking the email address itself, recipients can hover over links (don’t click them!) to see where they lead.

Simulate social engineering events  

It’s hard to know how you’re going to react to a social engineering attack until it happens. That’s why it’s a great idea to send test emails to your staff to see what they would do. Use this as a learning tool to educate them on what they should do if a real risk presents itself.

Monitor your digital footprint

Some of us tend to overshare on social media, giving hackers ammo to hack into our devices. But have you considered what you’re sharing outside of these platforms? For example, if your CV is online – are your address and phone number on this? Not to mention your old schools, interests… the list goes on. Think twice about what you share online. 

Get Cyber Insurance

Despite nearly 40% of all UK businesses reporting at least one cyber attack in the last 12 months, businesses are still not taking the threat of cyber attacks seriously enough. Now, the Government are urging businesses to take steps to improve their digital resilience. Cyber Insurance is designed to protect your business in the aftermath of an attack, including investigation, data recovery, loss of income, reputation management and more. To discuss how you can better protect your business with dedicated Cyber Insurance, give Watkin Davies Insurance Consultants Ltd a call on 02920 626 226.