Social Engineering - Part II

Chris Cassell, Technical Team


  • Security Blog

Being Helpful

You‘re a nice person. I have faith in that. So do the people that I‘m telling you about.

Have you ever answered the phone to someone that doesn‘t know quite who they want to talk to? They know the role and they offer a smattering of names and you helpfully correct them?

“Your IT Manager? It's Steve, no John? We met at a trade show and I‘m just trying to catch up with him over something we discussed about some discounted kit.”

You, being a nice person, provide the name, the mobile phone number, the e-mail address. Because you‘re being helpful. Then that person takes that information and crafts a cunning Spear Phishing e-mail. They send it around your company and it's suddenly from your IT manager. It's got their name, it's from their E-mail address and it asks them to do something terribly reasonable, considering the source it comes from.

It allows the criminals in where a normal, vague message with no suitable, identifying characteristics wouldn‘t fool anyone.

Countering Social Engineering

It's a terrible thing to have to say, but in the modern world to truly protect yourself you have to start to trust less and question more. While Social Engineering is a very insidious threat, there are some basic steps you can take to defend yourself and others.

  • Avoid sharing too much sensitive information on public websites. Don‘t post anything you‘d ever use as a security question. Don‘t post your full date of birth anywhere. Avoid linking yourself to other people or events that can build a complete picture of your life in one place.
  • Never trust phone calls you receive. If your bank, the police or your phone company etc calls, tell them nothing of any sensitivity. They never need to ask your passwords for anything. To be extra safe take their name, hang up and call them back on a number you locate yourself for the organisation, never use a number they provide. If you do that from a land line make sure you hear a dial tone before dialling in case they keep the line open and you end up on the same call without realising it.
  • Never give out your own or someone else's personal details without knowing exactly who is asking and why. It is never unacceptable to say “Let me have your details and I‘ll pass you on to the person in question.” If they don‘t know the name of the person they want, don‘t offer it. If they were supposed to be talking to them, they‘d know.
  • Implement two factor authentication for everything you can in your life. There are many free solutions to achieve this in most cases and it means that someone has to steal a physical item as well as just information before they can infiltrate your accounts.
  • Realise that you have a part to play in your own security and that of others. Be mindful, never let anyone rush you in any conversation about anything sensitive. If you feel you are being asked anything too personal, politely and firmly refuse. Criminals like easy targets. When you defend yourself they will look for easier targets.
  • Use common sense but don‘t be afraid to bounce your worries off of someone else. If a caller pushes and you are concerned, put them on hold and run through the conversation with a colleague; you may find that even expressing it gives you your answer. Most people without legitimate cause will hang up if they think you are growing suspicious and put them on hold. It's a good sign you were right.
  • Never select passwords that are anything to do with your personal life at all. Make them random, or even better use a password manager that automatically generates new passwords, with a decent integrated system you don‘t even need to know the password yourself so you can never accidentally give it up.

Leave a comment

Comments (0)

Latest News

  • Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme

    Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme ...Read more


  • Zero Trust networks with zero hype - an overview of real world deployments

    An overview of the NCSC CloudClient project in the context of Zero Trust network characteristics ...Read more


  • Measured Boot & Measured Execution for Device Health

    Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more