Cymraeg

What is Social Engineering?

When talking about online safety and security, ‘social engineering’ means the act of manipulating or tricking people into certain actions including divulging personal or financial information … a kind of confidence trick. Social engineering exploits human nature and often plays on victims’ willingness to be helpful, or please others. It is a factor in many types of fraud.

Examples of social engineering

  • Responding to a fraudulent email claiming to be from your bank or credit card provider, a government department, a membership organisation or a website you buy from, telling you that you need to follow a link to supply some details – typically a password, PIN or other confidential information. This is known as phishing.
  • Supplying details to a fraudster who has phoned you claiming to be from your bank or credit card provider, or from the police and telling you there is a problem. They ask you to confirm confidential information in order to solve the problem. This is known as vishing. A variation of this is the OTP (one time password) scam, where a caller pretending to be from a bank or other trusted organisation requests a one time password which you have been sent, which they then use to make a fraudulent transaction. Some fraudsters may even despatch a ‘courier’ to collect payment cards or other records from you, known as courier fraud.
  • Receiving a phone call from somebody claiming to be a legitimate support agent for your computer or software, and telling you that you have a technical issue. They sound genuine, so you give them your login details which can result in fraud or identity theft. Alternatively you permit them to take over your machine remotely, resulting in them infecting it with a virus or spyware. People claiming to be from ‘IT support’ in your business will normally request your password in order to infiltrate company systems and data.
  • Picking up and inserting in your computer a USB stick, memory card, CD-ROM/DVD-ROM or other storage medium that has been deliberately left for you to find, or is given to you. The device contains malware – for example virus or spyware. This is known as baiting.
  • In your home or at work, inadvertently granting a criminal physical access to your computers, server or mobile device.

How to avoid social engineering attacks

  • Never reveal personal or financial data including usernames, passwords, PINs, or ID numbers.
  • Be very careful that people or organisations to whom you are supplying payment card information are genuine, and then never reveal passwords. Remember that a bank or other reputable organisation will never ask you for your password via email or phone call.
  • If you receive a phone call requesting confidential information, verify it is authentic by asking for a full and correct spelling of the person’s name and a call back number.
  • If you are asked by such a caller to cut off the call and phone your bank or card provider, call the number on your bank statement or other document from your bank – or on the back of your card – and not one given to you by the caller, nor the number you were called from.
  • Do not open email attachments from unknown sources.
  • Do not readily click on links in emails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email.
  • Do not attach external storage devices or insert CD-ROMs/DVD-ROMs into your computer if you are not certain of the source, or just because you are curious about their contents.

Watch our video about fraudulent emails

You wouldn’t get certain types of emails from your bank, card provider or the police. So STOP & THINK before you become the victim of a scam.

Watch our video about fraudulent phone calls

You wouldn’t get certain types of phone calls from your bank, card provider or the police. So STOP & THINK before you become the victim of a scam.

Watch our video about fake computer support calls

If a computer company calls to tell you that there’s a problem with your machine, it could be a scam. So STOP & THINK before you become a victim.

If you’ve experienced cybercrime, you can contact the charity Victim Support for free and confidential support and information.

 

See Also...

In partnership with

Jargon Buster

A Glossary of terms used in this article:

Identity theft

The crime of impersonating someone – by using their private information – for financial gain.

PIN

Personal Identification Number.

Social engineering

Use of deceit offline to gain access to secure systems or personal information, for example impersonating a technical support agent.

USB

Universal Serial Bus: a means of physically connecting computers and peripherals such as external storage, keyboards and MP3 players.