Outsmarting Social Engineering (DDN2-A29)

Outsmarting Social Engineering

In cyber security, social engineering refers to a group of techniques used by threat actors to breach systems by targeting people with access to those systems, instead of targeting the system itself. The Canadian Centre for Cyber Security defines social engineering as the practice of obtaining confidential information by manipulation of legitimate users. It is an important threat vector that cannot be ignored.

Social engineering is used to manipulate people into disclosing sensitive information or acting in a way that can compromise their security. What makes it unique is how it leverages human behaviour, emotion, and vulnerability to prey on victims. It exploits human fallibility and baits users into exposing private data, giving access or making changes to their restricted systems and accounts, and/or spreading malware on their computers.

Social engineering definition and examples

Social engineering attacks can happen online (email, social media), by phone (call, SMS), and in person. Common examples include calls from people offering services, texts asking you to click a link to accept money from a person or an organization, and emails from organizations prompting you to update your credit card information after a failed payment. Do any of these sound familiar?

For the Government of Canada (GC), successful social engineering attacks could mean access to massive amounts of personal information and physical damage to the critical infrastructure that the population relies on, including water, energy, healthcare, food supply chains, transportation systems and financial networks. According to a report published by the Canadian Centre for Cyber Security, from January 1 to November 16, 2021, the Cyber Centre had knowledge of 235 ransomware incidents against Canadian victims.

More than half of these victims were critical infrastructure providers. In fact, in 2022, 82% of breaches involved human error (Verizon Data Breach report). Social engineering means that, when it comes to cyber attacks, people are both the weakest link and strongest safeguard. Public servants must be aware of these vulnerabilities and ready to take action.

Be the shield, not the open door

Tips to avoid falling for social engineering attacks:

• Exercise caution with messages: GC employees often are targets. Exercise caution if you get a message from an unknown sender. Sometimes, these messages can appear to be sent from the personal email address of someone you know, such as a colleague, an executive, a friend or a relative. Suspicious URLs, unexpected requests for personal information and spelling and grammar errors in the message or email address can all be signs of a social engineering attack. Always take the time to verify the identity of the email sender and any requests for personal or protected information.

• Be wary of unexpected calls: Social engineers often use phone calls to get the information they need. If you receive an unexpected call from someone claiming to be from a certain organization or company, ask for their full name and contact information. Let them know that you're currently busy and will call back later. If you think it might be a real call, look up and call the number on the organization's official website or contact them using any alternative methods listed on their webpage.

• Keep your personal information private: Do not share your personal information on social media (with public settings) or other online platforms. Social engineers can use this information to impersonate you, gain access to your accounts and find ways to trick you into providing the data they need to plan a cyber attack against you or people you know.

• Be aware of your emotions: With social engineering, attackers will use emotional manipulation techniques throughout their interaction with you. Their tactics seek to induce a sense of urgency, curiosity, fear, guilt, anger, surprise, greed, excitement, or sadness. If you receive a call or message asking you to click on a link or provide sensitive information, remain calm, analyze the situation, check for signs of suspicious activity and always verify the source. This will help you avoid acting out of emotion and taking risky actions.

Morgan's Mistake

Transcript

Like Morgan, everyone can be a target of social engineering. So, stay vigilant and remember these signs to protect yourself and your organization from attacks. You can start by learning from Morgan and their peers in the Discover Cyber Security (DDN235) course.

Courses

• Course | Discover Cyber Security (DDN235)
• Course | Cyber Security in the GC and Online Exposure (DDN233)
• Course | Privacy in the Government of Canada (COR504)
• Course | Access to Information and Privacy Fundamentals (COR502)

Resources

• Webpage | Report a cyber incident (for both individuals and organizations)
• Webpage | Canadian Centre for Cyber Security
• Webpage | Get Cyber Safe
• Article | Don't Be a Character in an Espionage Thriller
• Article | Level Up Your Cyber Security Skills: Stay Ahead of Evolving Threats!
• Article | Protecting Privacy in a Remote Work Environment
• Article | Fake News and Clickbait: Identifying Disinformation and Misinformation