Why you should get savvy about social engineering

Everyone knows about a scam that they or someone they know, has fallen for. Although we understand by using the internet and digital services, we run the risk of being targeted by cyber criminals, many organisations don’t know where to start.  

Attacks which use social engineering can cause harm and it is important to understand what they are and how to spot them.  

In this article, you can find out how you can protect yourself and your business from social engineering, especially phishing.  

What is social engineering?

These scams are usually based on what we call “social engineering” attacks, which is a broad term for techniques to trick someone into doing something they wouldn’t normally do, so an attacker can gain information or access computer systems to commit crime.  

The most common form of social engineering is phishing.

Email is the ‘front door’ for most organisations. Attackers know that most people receive so much email about so many different topics, even the most cyber-aware employees can let their guard slip from time to time.   

How to spot phishing emails and deal with them

Phishing refers to fraudulent or fake emails, designed to trigger an emotional response to impair someone’s decision-making.

Under pressure, they are more likely to reveal information such as a password or even be tricked into doing something they wouldn’t normally.  

Phishing attacks usually happen via email but can also be through text messages, WhatsApp, or even phone calls.

Regardless of how or where they happen, having the knowledge and confidence to spot phishing attacks is important to protect you and your business. 

Under pressure  

An attacker using phishing or other social engineering techniques is seeking to make someone feel emotional or under pressure and may claim to be a reputable source.

Your employees should always be cautious if there is a sense of urgency, or if they are being asked to do something they wouldn’t normally do such as login in a different way or transfer money.  

Criminals may use online resources such as LinkedIn to learn about employees and your organisation and tailor their phishing emails to appear legitimate.

It is common for phishing emails to appear as if they are internal emails or ‘spoofed’ to appear to come from a known source, such as a business contact.

On first glance, the email addresses will match, but there may be a character out of place, or the details of the sender may reveal an alternative, anonymous address. 

Common themes that are used in scams can include: 

• Asking the victim to use their business credentials to login via a webpage to access something, such as a file that has been shared. 
• Asking the victim to download and install an important update, such as a security patch. 
• Collecting a prize or some other unexpected financial gain. 
• Scare tactics such as an overdue invoice and the threat of turning off a service. 
• Requests to donate to a charitable organisation, often following a humanitarian crisis such as an earthquake. 
• Open email attachments, which can be hiding viruses or malware.

The best way to protect against phishing is to make sure your employees know to expect it and know where to report it.

Remember, there is no such thing as over-reporting. Far better to hear about nine false positives but catch the one malicious email.  

Real-world examples are also powerful. If someone reports a phishing attempt then this can be shared with everyone to both highlight the threat and celebrate someone’s vigilance in reporting it.  

What you should look out for  

While a phishing attack could come at any time, attackers also use current events and seek to capitalise on external contexts.

For example, there is always an increase in attacks around public holidays, elections, natural disasters, health scares, or any other major national or international event. 

Although it can feel worrying for employees, you can reduce their uncertainty by letting them know they can report anything they are unsure about and if in doubt, ask.  

Some specific things you can highlight to people in your organisation are: 

• Unsolicited emails, phone calls, or text messages that ask for information.  
• Communications, by email or text, that do not include your name, a return address, and include poor grammar, inconsistent spellings, and layout.  
• Suspicious attachments—an email that asks you to download an attachment is a common way that a cyber criminal may gain access to your system. 

If in doubt: 

• Never provide personal information or information about your organisation unless you are certain of who you are talking to.  
• Never provide personal information in email or click on links sent in an email.  
• If you are ever unsure, contact the company directly to verify it. 

What to do if you or one of your employees has been a victim of a phishing attack

If you suspect that you’ve responded to a phishing scam with personal or financial information, take these steps to minimise any damage:  

1. Report it to your IT team and they or you can change the information which has been revealed. For example, change any passwords or PINs on the account or service that you think might have been compromised. 

2. If the details are for an external service, then contact the relevant the service provider directly. 

3. Routinely review your bank and credit card statements for unexplained charges or enquiries that you didn’t initiate. 

4. Contact the authorities. In the UK this is Action Fraud but most countries will have a similar reporting service.  

Receiving counterfeit emails that appear to be from Sage 

If you receive an email that appears to come from Sage but makes you suspicious, then please report it to us. To safely report the email you suspect is counterfeit, without opening any attachments or replying to the email, please do the following: 

• Create a new email > attach the email you suspect is counterfeit > send the email to [email protected]. 
• Alternatively, forward the email to [email protected]. 

Note: Sending the counterfeit email as an attachment is the best way to preserve information which will make it easier for us to trace its origins. 

Key takeaways  

• Employees should know there’s no such thing as over-reporting when it comes to phishing. 
• Anything that makes someone feel nervous, anxious, under pressure, or emotional means they should proceed with caution. 
• Set strong passwords for personal email and work email.
• Enable 2-Factor-Authentication or 2FA on all accounts. 

Final thoughts 

As more services move online, it is becoming increasingly important to empower yourself and your employees with cyber security knowledge, and what you and they can do to protect your business.  

In our Trust and Security Hub, you can explore essential advice on how to be secure at home and at work, before incidents occur.