Cyber threats come in all shapes and sizes. Some are complex, requiring the installation of additional software, or the hiding of malicious code masquerading as a something legitimate, like an aptly named Trojan Horse. Others can be the product of a supply chain breach and the delivery of hostile modified hardware. And some simply rely on the goodwill of its victim, like social engineering techniques requiring just the click of a button for all havoc to break loose on one’s device. The latest ‘Cyber Insider’ article will focus on the idea of ‘one click’ threats by discussing what they are, how they work and how we can best protect ourselves from the dangers they present.
What is Social Engineering?
As human beings we’re naturally inquisitive and willing to help: As a result, we’re very easy to predict and, in many scenarios, this can be a good thing. Who hasn’t asked a friend, family member or colleague for help in times of need? However, in the world of cyber, this predictability leaves us vulnerable to threats, in particular, social engineering.
Social engineering is a manipulation technique that banks on these most common of human characteristics. It is the backbone for a number of the cyber threats we regularly face including phishing, social networking, and telephone scams. And whether it be an email, text or tweet, this technique often prompts the user to carry out a specific action, such as the click of a link or the downloading of an attachment, unleashing malicious software in the process. You can learn more by watching the recently released Cyber Confident Social Engineering video.
Emails are a part of everyday life. Time is precious, and in the fast-moving world of Defence, where emails come and go in regular fashion, we’re spending less time checking and more time doing. As a result, we’re becoming increasingly vulnerable to the threat of phishing.
Much like the name suggests, phishing involves hunting. Unlike the popular past time however, this type of hunting relies less on fish and more on the collection of our personal data and information. Most common in the form of emails, social engineers will construct carefully worded correspondence masquerading as trustworthy sources, luring us into clicking a URL link, PDF file or a similar attachment. And as the title of this article suggests, one click is all it takes. Once clicked, these expertly designed traps are able to free malicious malware onto our devices.
Not limited to emails, phishing also occurs via social media posts and short message service messages however, the plan is always the same, as these social engineers trick us into making the fatal mistake of clicking something dangerous.
You can learn more about phishing by watching the Cyber Confident Phishing video.
Much like emailing, social networking has become a daily ritual for many. Whether we’re chatting with friends, watching videos, or updating our followers on what we had for lunch, it has become an important part of everyday life. A fact social engineers know only too well.
Social networking provides numerous ‘ins’ for social engineers. Some users have been targeted with messages pretending to be from friends or relatives with tales of woe asking for financial donations via an external website. Others have had their public information used against them, such as their likes and interests, allowing for the creation of targeted malware embedded messages.
Clicking on these infected messages, tweets, or links, can have a devasting impact on our devices and leaves our personal information at risk.
We’ve all received spam phone calls from sales teams, insurance companies or the infamous ‘This is HMRC…’ You might be sitting there thinking these are all obvious traps, and generally speaking, you’d be right. However, this doesn’t mean that some of us haven’t fallen for this social engineering technique.
In contrast to the previous two threats, the social engineering method of telephoning involves victims being contacted directly over the phone. The aim of these interactions is to persuade us to carry out tasks, whether it be visiting a website, downloading a document, or carrying out updates, in order for dangerous malware to be deposited onto our devices.
Following these instructions and clicking on these potential harmful links can send shock waves running through our digital systems.
So how do we stay safe and avoid becoming a victim of social engineering? The obvious answer here would be not to click on questionable links, download unrecognized attachments, or respond to strange messages. However, these social engineering techniques are designed to be convincing, and manipulative, and their creators are banking on your inquisition and goodwill to lure you into a ‘one click’ cyber trap. So even if we were to do all those, how are we to decipher truth from lie? With that in mind think over these quick tips before you click on anything:
- Know your spam: Despite becoming increasingly more convincing, spam emails commonly share characteristics. Proofread for obvious spelling mistakes and check the sender’s information including their email address and signature. If you’re still not sure you can always send any email to SPOC-Spam as an attachment and delete the email from your inbox.
- Be vigilant of links and attachments: Social engineers, as we have discussed, can harvest huge amounts of personal and sensitive information from the click of a button. Make sure you hover your curser over any links or attachments to reveal who the true sender is.
- Review the request: Legitimate organisations wouldn’t request sensitive information via email or telephone. Always ask yourself is the sender really who I think it is?
- Review privacy settings on social media: Don’t provide social engineers with the ammunition they need by exposing personal information such as phone numbers, pins, and ID numbers on your social media profiles. Review your privacy settings and make sure your friends are the only ones that can see what you’re sharing and that can message you. Familiarise yourself with Cyber Confidents’ ‘Prevent Checklist’ to help ensure your social media pages are secure.
- Don’t speak to strangers: If you don’t recognise the originator of a request, whether it be an email, phone call or social media message, do not respond. You should never reply directly to suspicious communications. Instead, make sure you report the sender to the organisation their masquerading behind immediately.
Are you doing everything you can to remain protected online? To help you answer yes to this question, read the Cyber Confident Protect Checklist 2022, and learn more about the steps you can take to ensure cyber security. We would also recommend watching the videos on Social Media and Online Gaming, produced by the Cyber Confident team in October.
Remember, one click is all it takes. If you’re suspicious, don’t click.