Unpacking social engineering and its pitfalls

By Johnny Truter
Bank Windhoek’s Manager of Forensic Services

Social engineering is the act of attempting to manipulate an individual to perform certain actions or divulging sensitive information. It is a common technique among cyber attackers and identity thieves to get people to divulge information that should be safeguarded by pretending to be a trusted source such as a bank employee.

“It is successfully used because it can be easier to trick someone to divulge confidential personal information than to get through protective technological controls and fire-walls. Attackers have been known to “name drop” important figures in an attempt to intimidate the individual and to create a sense of urgency for an immediate response to the request,” said Johnny Truter, Manager of Forensic Services at Bank Windhoek.

Common examples of social engineering include: receiving a fraudulent phishing email that claims to be from your bank. The email includes a link to a phony web site that asks for your online banking ID and password.

Also Telephone phishing: You receive a phone call from a caller who claims to be from your bank and suggests that there is a problem with your computer or user account. They may even ask for your username and password under the promise to rectify the problem to save you from any further discomfort.

Phishing is the act of fraudulently trying to obtain sensitive information such as user accounts, passwords and credit card information by pretending to be a trusted entity in an electronic communication such as an email.

Characteristics of phishing include: a message is designed to invoke a sense of urgency in the recipient, content often has misspellings and grammatical errors, message often claims to be from a bank, technical support, social media or other legitimate business, the site that is linked to the message, asks for an ID and password, message asks you to update certain personal information as well as an unusual “from” address, the URL that is listed doesn’t match the official URL of the organization, hovering the cursor over an email address or URL in the text of the mail will show the true address or URL and fraudsters are known to mask these to make it look authentic.

DO: Question unsolicited messages, use common sense when opening emails and answering phone calls, report suspicious phone calls or emails to Bank Windhoek’s Forensic department, verify the identity of anyone before providing any information to them, if in doubt about an email or phone call, contact the organization using the phone number that is provided on the official web site or telephone directory, not the number in the suspicious email and shred sensitive information instead of putting it in the trash.

DO NOT: Divulge any information over the phone until you have validated the caller’s identity, respond to an unsolicited email, give your password to anyone, provide sensitive information without the proper approval, open attachments, or click on links from untrusted or unknown senders, open emails from an unknown sender and click on suspicious links in work or personal emails.

“Bank Windhoek will never call or email you and ask for information such as your password or login details. If you suspect that someone is attempting to gain access to your personal information email us at [email protected] or call 061 299 1200 for immediate assistance,” Truter advised.