Social engineering is the act of manipulating and taking advantage of the weakest link in any organisation’s IT security defences: people. This can also sometimes be known as “people hacking” and involves maliciously exploiting the trusting nature of human beings to trick people into performing actions or divulging confidential information like passwords and PINs. The person or group behind the act will commonly use social pressure, deception or threats to influence a person into doing something against their interests. Social engineering is not hacking. Hacking involves the use of computer technologies to gain unauthorised access to systems and networks. Students sometimes use the term ‘hacking’ when, in fact, they have shared their password. Here are some examples of social engineering:
- “Support personnel” claiming that they need to install a patch or new version of software on a user’s computer, talk the user into downloading the software, and obtain remote control of the system.
- “Vendors” claiming to need to update the organisation’s accounting package or a phone system, ask for the administrator password, and obtain full access.
- Set strong passwords and PINs for all devices and accounts
- Use two-factor authentication to secure all online accounts
- Never give out passwords and PINs and other confidential information to anyone
- Treat unsolicited emails with scepticism
- Review social media and other apps account activity regularly