In cyber security, social engineering refers to a group of techniques used by threat actors to breach systems by targeting people with access to those systems, instead of targeting the system itself. The Canadian Centre for Cyber Security defines social engineering as the practice of obtaining confidential information by manipulation of legitimate users. It is an important threat vector that cannot be ignored. Social engineering is used to manipulate people into disclosing sensitive information or acting in a way that can compromise their security. What makes it unique is how it leverages human behaviour, emotion, and vulnerability to prey on victims. It exploits human fallibility and baits users into exposing private data, giving access or making changes to their restricted systems and accounts, and/or spreading malware on their computers.
Social engineering: definition and examples
Social engineering attacks can happen online (email, social media), by phone (call, SMS), and in person. Common examples include calls from people offering services, texts asking you to click a link to accept money from a person or an organization, and emails from organizations prompting you to update your credit card information after a failed payment. Do any of these sound familiar?
For the Government of Canada (GC), successful social engineering attacks could mean access to massive amounts of personal information and physical damage to the critical infrastructure that people in Canada rely on, including water, energy, healthcare, food supply chains, transportation systems and financial networks. According to a report published by the Canadian Centre for Cyber Security, from January 1 to November 16, 2021, the Cyber Centre had knowledge of 235 ransomware incidents against Canadian victims. More than half of these victims were critical infrastructure providers. In fact, in 2022, 82% of breaches involved human error (Verizon Data Breach report). Social engineering means that, when it comes to cyber attacks, people are both the weakest link and strongest safeguard. Public servants must be aware of these vulnerabilities and ready to take action.
Be the shield, not the open door
Tips to avoid falling for social engineering attacks:
- Exercise caution with messages: GC employees often are targets. Exercise caution if you get a message from an unknown sender. Sometimes, these messages can appear to be sent from the personal email address of someone you know, such as a colleague, an executive, a friend or a relative. Suspicious URLs, unexpected requests for personal information and spelling and grammar errors in the message or email address can all be signs of a social engineering attack. Always take the time to verify the identity of the email sender and any requests for personal or protected information.
- Be wary of unexpected calls: Social engineers often use phone calls to get the information they need. If you receive an unexpected call from someone claiming to be from a certain organization or company, ask for their full name and contact information. Let them know that you’re currently busy and will call back later. If you think it might be a real call, look up and call the number on the organization’s official website or contact them using any alternative methods listed on their webpage.
- Keep your personal information private: Do not share your personal information on social media (with public settings) or other online platforms. Social engineers can use this information to impersonate you, gain access to your accounts and find ways to trick you into providing the data they need to plan a cyber attack against you or people you know.
- Be aware of your emotions: With social engineering, attackers will use emotional manipulation techniques throughout their interaction with you. Their tactics seek to induce a sense of urgency, curiosity, fear, guilt, anger, surprise, greed, excitement, or sadness. If you receive a call or message asking you to click on a link or provide sensitive information, remain calm, analyze the situation, check for signs of suspicious activity and always verify the source. This will help you avoid acting out of emotion and taking risky actions.
Social engineering is all about deception. There are many ways to trick people into thinking things are legitimate. Using similar kinds of manipulation online has become a very successful way to get people to take actions they shouldn't take, such as clicking a malicious link, opening a malicious attachment, providing personal information, or making a change to a system they administer. Tricking people like Morgan.
Meet Morgan. Morgan gets hundreds of emails every day. Most are requests for information; some contain reports, plans or submissions, while others require Morgan to activate something. Morgan received an email with a quarterly report attached. The email looked as if it had been sent from the Director’s personal account. Thinking it was about the branch's results, Morgan opened the attachment.
Once Morgan opened the attachment, the ransomware installed itself in the network, targeted a database full of important records and encrypted them. The cyber threat actor demanded a ransom of more than $1 million to decrypt and restore access to the information. While the database was inaccessible, their department could not provide essential services to people in Canada.
People became worried about their personal information and service delays. They called in and commented on social media. This led to a spike in inquiries to the department, causing employees to have to work overtime. There were news articles describing the attack and the 'embarrassing missteps' that led to it.
Morgan could have kept their department safe by learning about social engineering and by recognizing the signs of a phishing scam, such as receiving correspondence at work from a personal email address with which they had not communicated before. Being asked to open an attachment should have given Morgan pause. They could have confirmed whether or not the attachment was legitimate by calling their director or communicating in some other way.
Don’t take the bait. Don’t repeat Morgan’s mistake.
Like Morgan, everyone can be a target of social engineering. So, stay vigilant and remember these signs to protect yourself and your organization from attacks. You can start by learning from Morgan and their peers in the Discover Cyber Security (DDN235) course.
- Course | Discover Cyber Security (DDN235)
- Course | Cyber Security in the GC and Online Exposure (DDN233)
- Course | Privacy in the Government of Canada (COR504)
- Course | Access to Information and Privacy Fundamentals (COR502)
- Webpage | Report a cyber incident (for both individuals and organizations)
- Webpage | Canadian Centre for Cyber Security
- Webpage | Get Cyber Safe
- Article | Don’t Be a Character in an Espionage Thriller
- Article | Level Up Your Cyber Security Skills: Stay Ahead of Evolving Threats!
- Article | Protecting Privacy in a Remote Work Environment
- Article | Fake News and Clickbait: Identifying Disinformation and Misinformation (csps-efpc.gc.ca)