Our co-founder, Tony Sales, is one of the leading experts in social engineering. We asked him some of your questions. Here’s what he said:
Q1. Tony, how do you describe social engineering?
Answer – Social engineering, when used by criminals or bad actors, is an act of manipulation to gain access to systems, data and, of course, funds. Attacks can take many shapes and sizes, be directed against individuals or businesses and affect all industries.
There are multiple types, for instance a phishing email is a digital social engineering attack, created by a human but played out digitally. Criminals do not work in silos.
If I get into your office by pretending to be the cleaner, that’s a physical social engineering attack.
You also have the phone attack, where a victim gives away a password or an OTP [One Time Passcode]; some sort of vital information. Again these can take many shapes.
We call these P.O.C C.
Q2 POCC What’s that?
Answer – Points of Criminal Contact. There has to be some sort of contact for someone to be socially engineered. Before the attack, somehow, information has been lost or stolen, maybe in a data breach from a different company. It could be a phone number or an email address, maybe a date of birth. And now a criminal is trying to use that information to manipulate and trick a company or individual to gain either more information or cash.
Q2 – What can business do to help combat Social Engineering?
Answer – Train their staff. The industry is mainly lead by tech – I love tech, but only when used properly and as part of layered approach. Staff (and, us all really) need to be aware of the things criminals may do to target us. The human unfortunately is still the weakest link, in order to redress the balance, we need to train, train, train…