Main Content

Is your business at risk from a Social Engineering attack?

The NI Cyber Security Centre has put together useful information for businesses to prevent social engineering attacks. 

Social engineering is used by cyber criminals to manipulate or exploit an individual into sharing data, money or information. Rather than relying on technical hacking methods, social engineering uses human psychology to launch an attack.

Advice to identify and prevent attacks

The main types of social engineering methods are phishing, smishing and vishing:

  • Phishing – an individual is sent an email asking them to click on a link to a fake website or open an attachment infected with malware (dangerous software).  If an individual takes the requested action, the results can be devastating. Spear phishing is when an email is sent to a named individual and often appears to be from someone known to the business.
  • Smishing (SMS phishing) - an individual gets a text message asking them to call a phone number or click on a website link.  The text might look genuine and many recent smishing attempts have imitated official government communications - e.g information about a COVID-19 business support grant.
  • Vishing (voice or VoIP phishing) - an individual gets a phone call or a voicemail message where they are asked to transfer funds or share financial or business-related information. Often, the caller will state they are from an official government organisation like HMRC, an IT company, or a bank. The tone of the phone call or message will be urgent and possibly threatening.

How to protect your business from social engineering attacks

  • Embed policies and procedures around positive cyber security measures – e.g minimise the number of employees who have admin rights on email accounts and ensure everyone uses strong, secure passwords.
  • Ensure all employees follow the same procedures for financial processes and transactions, so that anything unusual will be easy to spot.
  • Encourage employees not to share details of their workplace on their personal social media accounts – often cyber criminals will look for clues to launch targeted attacks.
  • Educate employees on how to spot phishing attempts - e.g is someone asking for ‘urgent’ or ‘immediate’ action? Are there spelling errors or is there an unusual greeting or sign off?

How to report attempted social engineering attacks

  • If you receive a suspicious email, forward it to report@phishing.gov.uk
  • Suspicious text messages should be forwarded to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action if it is found to be malicious.

Useful Resources

  • The Small Business Guide, produced by the National Cyber Security Centre (NCSC) is essential reading for advice on strengthening your business’ defences against social engineering attacks
  • The NCSC’s Top Tips for Staff is a free e-learning training package for employees

About the NI Cyber Security Centre

The NI Cyber Security Centre works to make Northern Ireland cyber safe, secure and resilient for its citizens and businesses. We work with public, private, and third sector organisations and citizens to improve their ability to defend against cyber attacks, increase their knowledge of cyber threats, and become more cyber resilient.

Web: https://www.nicybersecuritycentre.gov.uk

Email: info@nicybersecuritycentre.gov.uk

Twitter: @NICyberSC