Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. This can take a number of forms, the most common of which are known as phishing and spearphishing.
- Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to obtain personal information, such as passwords and credit card numbers. These emails are sent en masse with the expectation a few people may divulge their details.
- Spearphishing is a form of phishing where an email is sent to a specific individual or company. Research is made by the fraudster regarding the recipient so the email can be targeted at them directly to increase the chance of success. The email may appear to come from a colleague or known supplier, email addresses can be spoofed, and contain specific information known to the recipient such as contact numbers or colleague details. This adds an air of legitimacy to the email and may influence the respondent to supply the details requested.
The research phase of a social engineering attack can happen over many months without you ever knowing, as this increases the plausibility of an attack and therefore its success. A victim of phishing is unlikely to know they have been the victim of phishing until they identify some kind of loss or data breach. Much like a person is unlikely to know they have a virus or malware on their digital device until it reveals itself or is found by anti-virus software.
We suggest you look at the digital footprint of your employees or yourself as a business owner, as understanding what other people can see about you, your employees, and how your company operates can help towards understanding how you might be targeted.