Social Engineering - If something seems too good to be true, it probably is!
Social engineering is the elicitation of confidential or personal information from individuals or organisations through deceptive or manipulative practices.
One such method used by malicious actors is that of phishing. This is when an attacker looks to exploit a user in order to bypass security measures via an electronic communication. Spear phishing is a term used to indicate phishing that is specifically targeted towards an individual or organisation.
Hostile actors use a variety of tactics and techniques which are evolving all the time. However, individuals and organisations can help to reduce their vulnerability to a social engineering attack by being alert to the social engineering threat when using mobile devices and reminding themselves of the importance of following good security advice at all times.
Carrying out some simple but effective security measures will help mitigate this threat:
Never reply to messages, click on links or open attachments immediately, even if there is a sense of urgency in an SMS or email, unless you are certain of its authenticity. If in doubt check with the sender via other means of communication before disclosing any personal or organisational information. A message might appear to come from someone you trust, but attackers are clever at mimicking contacts you know
Attackers may know your daily habits or places you go, both physically and electronically, so be aware that this knowledge might be used in a message to convince you it is genuine. For example, posting on social media about a regular visit to a favourite coffee bar, could give a hostile an opportunity to use that information for the purposes of social engineering
Be careful not to make yourself or your organisation an easy target for hostiles in the first place by information putting in the public domain that would be helpful to a hostile, such as information relating to sensitive projects.
If in doubt, seek advice from your Security Team first, before replying to messages, clicking on links or downloading attachments.
Finally, remember – Trust your instincts - if something seems too good to be true, it probably is.
NPSA has produced a range of guidance, videos and tools to enable both individuals and organisations to mitigate this threat:
This campaign is designed to provide practical steps that employees can take to minimise online security risks while still making full use of the many digital services available
Don’t Take the Bait
This guidance contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques
Think Before you Link
Practical advice on how to identify malicious profiles, how to respond, and how to minimise the risk of being targeted in the first instance
NCSC’s ‘Phishing Attacks: Defending Your Organisation’
Advice on how organisations can defend themselves against malicious emails that use social engineering techniques
If you have any queries, please do not hesitate to contact NPSA at [email protected]