Friendly conversation or something more? The techniques of social engineering

Social engineering is an umbrella term describing a variety of psychological tactics used by criminals to trick people into giving away important information. They can be used to steal money, commit crimes such as blackmail or much worse.

We asked the experts at UK NACE to give some advice on how to identify some of these tactics and avoid falling victim to them.

Who is at risk

Attackers can be difficult to spot; they often seem very genuine, and they try to catch people off guard. They’re constantly evolving their tactics and finding new ways to obtain information, so anyone can be vulnerable to a social engineering attack.

Their tactics are often digital and in-person. Phishing and friend requests on social media are common digital tactics, while shoulder surfing, the cold approach, tailgating and overt access are all types of in-person tactics (read on to hear more about these approaches). Luckily, there are some common signs to look out for which can help to identify them.

Digital tactics

Digital tactics come in many forms including email, text message, phone calls and social media. In a technique known as phishing, a scammer sends a request to the victim using a fake identity that looks legitimate.

A typical request is to click on a link or give away personal information.

On social media, a scammer might set up a fake profile pretending to be from a recruitment agency or friend, offering opportunities in exchange for information about your employer.

A tell-tail sign of a digital tactic is pressure. A scammer may insist that something is urgent or threaten repercussions if an action isn’t taken.

It’s important to always ask yourself the following questions before clicking on a link or replying to a message:

• Are you being pressured into something?
• Does the profile or sender look authentic?
• Are you expecting a message or call like this?
• Is the logo blurry or pixilated?
• Is the message claiming to be from an official sender?
• Are there any spelling mistakes?

If the answer is yes to any of these, it could be a digital attack.

In-person approaches

There are a few in-person techniques that scammers use to either coerce you into giving away information or giving someone access to a restricted area.

They’re designed to catch you off-guard, and you may not realise that the activity is suspicious until after it’s happened. That’s why it’s important to know what the techniques are, so you can recognise the signs.

Shoulder surfing is a well-known technique, typically used in public, where someone reads what’s on your screen from a short distance away. If you’re looking at personal or sensitive information online in public, you should consider buying a privacy screen.

Shoulder surfing can happen in the office too, so wherever you are, always lock your screen before walking away from it.

In a method known as the cold approach, an attacker will engage in a genuine, friendly conversation to get the victim’s trust before asking questions about someone’s job, place of work, department, or organisation. If you are in this situation and suspect someone is using the cold approach on you, change the conversation or politely walk away.

Sensitive information shared outside of any organisation could be damaging to security or brand reputation. It could also make you vulnerable to blackmail.

To gain access to a restricted area, a common technique is overt access, where an attacker will impersonate a technician or engineer to get passed security.

They might also tailgate someone, swiping a fake access card very closely behind the person in front, or pretend to be in a hurry.

Tailgating and overt access techniques are often used to inspect a target location as part of a wider plan or install a ‘quick plant’ device containing a hidden camera.

What can we learn?

There are a few things you can do to protect yourself from a social engineering attack.

Familiarise yourself with the tell-tale signs of a digital attack and if suspicious, don’t click on any links.

When engaging in conversation in person and online, think about the situation you’re in and if anything seems unusual. Don’t share anything that may compromise you or your organisation.

Consider purchasing a privacy screen for your devices and never leave your screen unlocked.

At work, if you feel safe to do so, challenge anyone not wearing a pass and report any incidents to your security team.