Risks

• Disclosure of private information.
• Financial loss.
• Fraud.
• Installation of spyware or other software that provides a hacker with a back door into your computer.
• Being persuaded to shut down security software.

What is social engineering?

Social engineering means using con tricks to persuade people to do what criminals and hackers want them to do or to gain access to a secure network. It is often used in conjunction with computerised attacks.

For example, a fraudster may telephone a victim pretending to be from their bank in order to learn their password.

Fraudsters use the internet to find out about their victims and sometimes even go through their rubbish to add to their information. They can build up an impressively detailed picture from the patient accumulation of small bits of data. This can make them seem even more plausible when they make their move.

How to spot social engineering

Social engineering takes many forms, some subtle and manipulative, some much more blatant.  For example:

• A stranger tries to ingratiate himself or asks for information such as PIN numbers, passwords, and credit card numbers or asks you to do something on your computer like installing a program or opening a file.
• Your rubbish is taken away before the normal bin day or otherwise disturbed.
• You get an unexpected call, email or visit from a repairman, technical support person, a fellow employee (especially if the company is big enough that you don’t know everyone who works there).

It’s all about psychology

Social engineers play with human psychology. Their attacks are likely to involve one or more of the following elements:

• Appeal to greed, fear or scarcity.
• Authority figures. We are more likely to do something for ‘the boss’.
• Friendliness. We are much more likely to trust someone we like.
• People generally want to be helpful and are afraid of confrontation.
• We don’t like to appear foolish or uninformed but get confused by technical details and tend to be unwilling or unable to check facts.
• Reciprocity. We often feel obliged to return a favour.
• Consistency. Generally people want to appear consistent and trustworthy so we tend to try to behave in ways which are consistent with earlier behaviour, even if it was foolish.
• We assume people are telling the truth so conmen will mix a little lie with a big truth.
• Social proof: we tend to follow the crowd, rather than appear isolated or foolish.
• A hook: a naked celebrity or a link to current events.

How to protect yourself

• Trust your more paranoid instincts. If you think someone is trying to con you, stand back from the situation and take stock. Buy yourself some time if you can; for example take a number and promise to call back.
• Shred personal documents before throwing them out.
• Be conscious of what is personal information: bank details, credit card numbers, passwords are obvious but a fraudster can make use of trivial information such as where you work, information about friends and family etc.
• Take steps to protect your privacy online (see Protect your privacy).
• Be careful what you publish about yourself online.
• Check credentials carefully. For example, if someone claims to be working for a lottery company, look up the number in the Yellow Pages and call them and check.
• Be firm. Conmen can be very persistent and persuasive; playing on human emotions like guilt, greed and the desire to be liked.  Stick to your guns.
• Discuss the problem and set ground rules for family members and, in a business environment, for colleagues.