COVID-19 Cyber & Fraud: Social Engineering

COVID-19 Cyber & Fraud: Social Engineering

This advice has been collated by East Midlands Special Operations Unit (EMSOU) to raise awareness among businesses and the public.

If you require any further information, assistance or guidance please contact the EMSOU Protect Team EMSOU Protect Team or your local Force protect team.

Today’s topic is ‘social engineering’.

We often hear about the attacker who uses technical expertise to infiltrate computer systems and compromise sensitive data, prompting organisations to invest in new technologies that will bolster network defences.

However, there is another type of attacker who uses different tactics; they are called “social engineers” because they exploit the one weakness that is found in every organisation: human psychology. Using phone calls and other media, these attackers fool people into handing over sensitive information.

An example of social engineering

Secure Network Technologies were hired by a credit union to assess their vulnerabilities and conducted an experiment. Twenty flash drives, containing a Trojan virus, were left in the car park and other areas nearby. Once plugged in they collected passwords. Fifteen of the drives were found and plugged in by employees and the data started immediately flowing.

Increasingly sophisticated social engineering attacks can fool employees into divulging sensitive information or granting access to the wrong people. Here are a few of the most common social engineering techniques to be on the lookout for.

Phishing

Phishing uses a fake email from a third party to trick them into clicking on a link or providing sensitive information.

Vishing

Vishing uses the phone instead of email. Scammers ask for personal information such as date of birth, address, financial information, etc.

Can you always trust who is on the end of the line? When in a conversation with someone you don’t know, before answering a question make sure they need to know the information that they’re asking about.

Pretexting

Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and manipulate victims.

Don’t get caught up in the story being told. A sense of pressure should be a red flag. Ensure that staff know what procedures they must follow e.g. urgent request to transfer funds.

Baiting

Received an email or text with the promise of a voucher for a free coffee or discount at a local store – what could possibly go wrong?

Unsolicited emails containing links should always be treated with suspicion and make sure your anti-virus is up to date.

Tailgating

Tailgating is used to gain access to a secure building by blending in and making you think that the hacker truly belongs there. Workmen wearing hi-vis often pass unnoticed in the work environment, why would they be there if they didn’t need to be?

Educate staff to be on their guard. Look for ID and passes and encourage staff to ask strangers in the workplace who they are there to see.

What do we know about you?

Serious social engineers, will do deep background searches and reconnaissance on their targets before moving. This includes both verbal communication and social media like Facebook or Twitter.

Be aware of the information you are giving out and your digital footprint. Review your privacy settings.

Hot topics

Text messages are being sent to recipients, purporting to be from HMRC, advising they can get a tax refund of up to £400. The text features a link to a fake government website where the recipient can determine whether they are eligible for a refund.

Local reports have identified a phishing text message purporting to be from DVLA with a link to claim vehicle tax refund.

Individuals are sent to a fraudulent looking .gov website asking for personal details including NI number, driver license number, mother’s maiden name, debit card and bank details.

Another scam involves phishing attempts claiming to be from the UK Business Advice Bureau, offering government grants up to £25,000, aimed at small businesses. The email contains a telephone number, email address, and business address.

Emails like this can be forwarded to the NCSC for action – report@phishing.gov.uk Reports have been received of victims getting automated calls in which they were told that masks needed to be worn when leaving their residence and to press 1 to purchase one.

Reporting

Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk.

Share this news story:

Other News

08-10-2024
Fears of Capital Gains Tax rise pushing UK farmers toward exit, warns leading expert

Agriculture expert warns that 10% of farmers could retire this month amid fears of tax rises and subsidy cuts

Read More
07-10-2024
Dementia care scheme in Scunthorpe opens doors to public

Myos House (Ongo’s dementia care scheme) in Scunthorpe is opening its doors on Thursday 10 October between 12-5pm to the pu...

Read More

Join our ever-growing membership base

Become a member
Our Patrons