Social engineering is the act of manipulating and tricking unsuspecting victims into sharing confidential and/or sensitive data. Social engineering attacks typically involve forms of psychological manipulation by using emails and other communication channels to invoke fear, urgency, or similar emotions in the victim. Social engineering attacks can take place on and away from victims’ computers. Give yourself an immediate cybersecurity boost with these tips.
What kind of social engineering attacks are there?
- Phishing. Phishing is a cybercrime in which attackers disguise fraudulent emails and websites as legitimate ones to trick you into entering sensitive information (e.g. personally identifiable data, usernames and passwords, or banking information) by clicking on a link or opening an attachment.
- More phishing. Malicious actors also use sophisticated phishing methods such as spear-phishing (a phishing attack based on impersonating specific individuals or organisations), whaling (a phishing attack based on impersonating senior executives or other high-profile targets within a company), vishing (a cybercrime carried out using voice calls to gain access to sensitive information), and smishing (a cybercrime carried out using SMS messages to gain access to sensitive information).
- Baiting is the act of attempting to trick victims into supplying sensitive information in exchange for a gift or an otherwise enticing offer.
- Quid pro quo attacks are the act of manipulating unsuspecting victims into sharing sensitive data in exchange for a benefit or service (unlike baiting, which typically offers a gift).
- Pretexting is the act of manipulating victims using carefully created and credible scenarios with which to build a false sense of trust with the victim.
- Tailgating attacks are the act of following (or ‘piggybacking’) employees into areas to which they don’t have legitimate access privileges.
How can I avoid a social engineering attack?
- Remember that nobody at the University of Derby should ask you for your usernames, passwords, or sensitive personal information.
- Be vigilant against phishing emails and the different kinds of phishing-based attacks.
- Only enter sensitive information onto websites/applications you're sure are safe.
- Consider if an offer you've received is too good to be true.
- Challenge requests to access sensitive information by asking requesters to verify their identity.
- Challenge attempts to tailgate onto University premises by asking people to verify their identity.