What is Social Engineering?
Social Engineering is defined as the “psychological manipulation of people into performing actions or divulging confidential information”. It is a mode of manipulation to deceitfully gain access to another’s valuables, whether it be tangible and intangible stuff.
In the context of cybersecurity, social engineering can be defined as an attack vector that relies on human interaction and often involves manipulating an individual into breaking cybersecurity procedures to gain unauthorized access to systems, networks, or private personal data.
According to the Singapore Computer Emergency Response Team (SingCERT), the following are the most common social engineering techniques:
1. Phishing/ Spear Phishing. This is usually carried out by cybercriminals through sending emails with malicious links or attachments which have the distinctive trademarks of an organization that would make it appear legitimate. This is done so that the trust of the unsuspecting victims will be gained and fall under the attacker’s trap.
2. Pretexting. Here, the cyber criminals focus on creating a detailed fabricated scenario to steal the victim’s information. They usually come up with a story to trick the unsuspecting target to believe they need information to verify the victim’s identity. They do this by impersonating a government agency, a bank personnel, or even an IT help desk, so that it would appear that the inquiry for the victim’s personal information is legitimate.
3. Baiting and Quid Pro Quo. Here, the cyber criminals exploit the victim’s curiosity, such as access to confidential information about major events, promise of reward or benefit, or use of freebies and gift certificates to entice the unsuspecting victim in giving their valuable information.
According to SingCERT, 1 in 4 companies fell into business email compromise scams which involve initiating or intercepting communication of an employee who can release funds or conduct wire transfers. In the past year, Singapore has been targeted the most across Southeast Asia.
How can businesses and individuals protect themselves from social engineering attacks?
To address this situation, a set of guidelines was issued by the Monetary Authority of Singapore which aims to protect users of electronic payments from fraud, errors and security threats, as part of Singapore’s cashless push. However, as this incidents continue to happen, how can individuals and businesses prevent it from happening? Here are four (4) ways businesses and individuals can use to protect themselves from social engineering attacks:
1. Awareness Campaigns. Companies must see to it that all employees, especially those who are responsible for payment transfers, must be aware of the risk, importance, and presence of such a scam employed by cyber criminals.
2. Establish an internal process in transferring payments. Companies must have a system when it comes to transferring payments. A step-by-step process must be followed to verify further the recipient and to avoid loss.
3. Training for accountants. Those who handle transfers should have ample training and knowledge in verifying payment credentials. One must also have a system to follow in case there is suspicion upon those persons who claim to be a CEO or the legitimate receiving end.
4. Prepare a worst-case scenario protocol. In the event that there is a successful occurrence of a social engineering scam, the security team must have the necessary steps to do to avoid further losses.
Businesses and individuals must be vigilant in spotting potential scams with those who request payments. One must have the diligence in making sure that the payment credentials are legitimate or else carry the loss of being one of those unsuspecting victims. Social engineering scams are rampant nowadays and there are documented cases that companies must learn from. It is on their hands to use and learn from these past mistakes to prevent them from being part of a statistics.
Outsourced DPO – It is mandatory to appoint a Data Protection Officer. Engage us today.
PDPA Training (SkillsFuture Eligible) – Empower data protection knowledge for your employees.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.
Privacy Ninja provides GUARANTEED quality and results for the following CORE SERVICES: