Photographee.eu - Fotolia
Social engineering is a non-technical method of intrusion used by cyber criminals that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
Typically, the aim is to trick people into malware-laden Email attachments or to divulge sensitive information that can be used to steal information and credentials to commit fraud.
The harvesting of account and login information is known as phishing and can happen through fake emails, phone calls, texts or social media posts.
Phishing attacks frequently involve piecing together information from various sources, such as social media and intercepted correspondence, to appear convincing and trustworthy.
The most common themes for contacting potential victims are an update to BT account details, an iTunes invoice and a tax refund.
Others themes include Tesco vouchers, Apple ID, accident injury claim, invoices, suspended bank and credit card accounts, and Sky services upgrades.
According to the government-backed GetSafeOnline campaign, cyber criminals have become increasingly sophisticated in their attacks, with more than 95,500 phishing scams reported in the 12 months up to October 2015.
Research by GetSafeOnline reveals that 26% of victims of online crime have been scammed by these types of social engineering emails or phone calls.
According to the research, 29% of reported phishing emails contained a potentially malicious link that could infect a victim’s computer with malware, 17% requested a reply and 15% requested personal information.
The research notes that although the number of emails with malicious links is decreasing, requests for money transfers are on the rise.
In response to these findings, GetSafeOnline has launched an advertising campaign to warn of the dangers of social engineering, in partnership with Barclays, NatWest, Royal Bank of Scotland, Lloyds, Halifax, Bank of Scotland, City of London Police, anti-fraud organisation Cifas and Financial Fraud Action UK (FFAUK).
Read more about phishing
- End-users and security awareness training should not be blamed for successful phishing attacks, says security awareness expert.
- Phishing attacks are the most popular causes of data breaches in the enterprise.
- The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for the scam.
- Phishing attacks on mobile devices are increasing as adoption of internet-connected mobile devices and services grows.
Tony Neate, chief executive of GetSafeOnline, said social engineering is becoming ever more targeted and personal.
“What is worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic,” he said. “Iif we get an email purporting to come from someone we trust, such as our bank, about something that is emotive to us all, like money, and then demand that we act urgently, it’s almost like the perfect storm.”
The newly-launched advertising campaign aims to encourage people to think twice before they act and not to let panic override common sense.
The campaign highlights the importance of having strong passwords or pass codes to secure devices, and ensuring that all software and apps are up to date.
Research shows that email is the most popular channel for phishing, accounting for 77% of all reported incidents, followed by phone calls, making up 12% of incidents.
Commander Chris Greany of the City of London Police said social engineering is increasingly being used by criminals to prey on people’s personal and financial information.
Unsolicited phone calls
“We urge everyone who receives unsolicited phone calls, texts, emails or letters to ignore them and never enter into a conversation with someone that you don’t know online or over the phone. If you are contacted in this way, it is likely that you are being targeted by a fraudster who is simply looking for ways to exploit your personal and financial details,” he said.
Greany said any suspected fraud should be reported to Action Fraud, the UK’s national fraud reporting centre, by calling 0300 1232040 or by visiting www.actionfraud.police.uk.
Raj Samani, chief technology officer at Intel Security Europe, said that although the statistics are concerning, they are not surprising. Cyber criminals are becoming increasingly savvy, he said, and it is important for everyone to understand the reality of the threat.
“Recent research from Intel Security exposed price points for stolen data bought and sold in cyber criminal marketplaces,” said Samani. “It found that the average estimated price for stolen credit and debit cards is $20 to $35 in the UK.
“Brits must be wary of unexpected emails, even if they are cited as being from a brand they are familiar with. Think twice before acting. Call up your bank directly if you are concerned about anything before taking action. We have to make sure we stay one step ahead of the cyber criminals and caution is the best way forward here.”