Social engineering is the art of manipulating people into performing certain actions or divulging confidential or personal information (often against their better judgement). While it is similar to fraud, social engineering relies heavily on human interaction and typically exploits human psychology through deception.
Phishing – a form of social engineering
Social engineering has many faces and attacks can arise from a variety of sources. Most commonly, fraudsters use a social engineering technique called phishing. These attacks involve unsolicited verbal, written or text communications to unsuspecting victims to influence them to perform an action or divulge personal or confidential information. Some likely phishing scenarios involve:
- being contacted by someone claiming to represent a reputable and trusted source – for example, a service provider, financial or banking institution, or retailer wishing to confirm your account details
- receiving an email in which you are requested to click on a link or open an attachment to verify or update your personal information
- you receive a notification informing you that you have won money in a competition, lucky draw or lottery but have to provide your banking details for your winnings to be paid out.
Social media and social engineering attacks
The incidence of social engineering attacks has grown in frequency and has also become more sophisticated. The popularity of social networking sites such as Twitter, Facebook, LinkedIn etc have also opened an entirely new avenue for social engineering scams as fraudsters build convincing fraudulent profiles on these sites or imitate a legitimate user's profile, and pose as a friend, past or present colleague, or distant or long-lost relative to intended victims.
How to protect yourself from phishing and other social engineering tactics
We are not entirely helpless against this threat. The following measures can prove invaluable in mitigating the risk of social engineering and keep you safe:
- Do not, under any circumstances, open emails, links and/or attachments from suspicious sources. Remember that email addresses can be spoofed and may not come from trusted sources as may be claimed.
- A good rule of thumb with all forms of unsolicited communication is to always exercise extreme caution. Be sceptical and take a moment to reflect on why you were contacted.
- Think carefully before opening an attachment, clicking on a link or responding to any SMS, voice message or email received from an unknown source.
- Follow your instincts and better judgement. Do not be flattered or bullied into complying with requests and do not fall for impressive titles, credentials and testimonials as these could be fabricated.
- Only extend or accept invites on social media sites from people (or entities) you know and trust based on your personal knowledge and experience.
- In instances in which you are unsure or where any suspicions arise, perform independent research of the claims being made and confirm its legitimacy directly with the source.
- Never divulge your personal information (such as identity numbers, bank account details, usernames or passwords) to anyone under any circumstances whatsoever.
- Resist the urge to ‘overshare’ private or personal information on social media platforms or online. Be warned that fraudsters collect information ahead of time and their attacks may seem genuine once armed with this material.
- It's highly likely to be a scam if you receive a communication notifying you of winning a competition, lucky draw or lottery that you did not enter.
- Educate yourself. Keep abreast of the latest scams doing the rounds and warn your family and friends.