How being helpful can lead to harm

14 Jun 18

Don’t rely on IT defences to shield your data – watch out for for social engineering, which exploits the human desire to assist, says John Thornton. 


How do you find a sophisticated stealth warship in several thousand square miles of ocean?

At a recent conference, a cyber expert from one of the UK’s oldest universities explained how he was set this task as part of a three-day exercise with the Norwegian navy. They got really upset, he said, when he found it within five minutes and thought he must have cheated.

He explained he simply telephoned the ship, pretending to be an impatient admiral, and asked: “Where are you?” The operator on the ship helpfully gave him the exact coordinates.

He also explained how a war game exercise between his university and one in Estonia revealed that large numbers of email addresses and live passwords were readily available on the internet because of breaches at other organisations, which had left both universities open to serious social engineering attacks.

We set a lot of store by investments in technology to ensure our cyber defences, but our Achilles’ heel is often the human desire to be helpful and respond quickly to an urgent request.

Social engineering is the use of deceitful techniques to manipulate someone into divulging information or performing actions that may result in the release of cash or information.

It is the art of gathering freely available data and using it to entice people to give away fragments of information that can be put together to chip through defences.

A hacker might impersonate someone you trust or build a relationship that will entice you to visit an infected site or open an infected attachment. Like any scam, the aim is to move you quickly through a process, limiting your options at each stage.

How can the public sector guard against these types of attacks?

Most readers will be familiar with “CEO fraud”, which involves the impersonation of a senior figure, usually from a spoofed email address, with requests for transfers of funds, often saying a contractor or regulator needs to be paid urgently.

Mandate fraud is similar; here, a victim is tricked into changing bank account details to divert legitimate payments for a genuine organisation to bank accounts controlled by fraudsters.

This was popular when public bodies were first required to put spending data online; it made it easy for criminal gangs to identify substantial regular payments then write to public bodies, using what looked like genuine letterheads, saying that bank account details had changed.

Training and awareness have helped to minimise these types of frauds.

HMRC is probably the most spoofed body in the UK. This is not surprising as it collects about £575bn annually, through 2.3 billion transactions from its 50 million users and numerous agents, making it an attractive target.

It has taken a very proactive approach, taking down over 450 million fake websites (claiming to be HMRC) and establishing mechanisms to stop phishing emails and texts before they arrive on our phones and computers. This type of pre-emptive action is now being more widely adopted across public services.

Anecdotal evidence suggests the biggest hurdle confronting would-be fraudsters is that they just don’t understand enough about how the public sector works, compared to the corporate sector.

Relying on this does not constitute a good long-term defence strategy.

Did you enjoy this article?