In cyber security, social engineering refers to a group of techniques used by threat actors to breach systems by targeting people with access to those systems, instead of targeting the system itself. The Canadian Centre for Cyber Security defines social engineering as the practice of obtaining confidential information by manipulation of legitimate users. It is an important threat vector that cannot be ignored. Social engineering is used to manipulate people into disclosing sensitive information or acting in a way that can compromise their security. What makes it unique is how it leverages human behaviour, emotion, and vulnerability to prey on victims. It exploits human fallibility and baits users into exposing private data, giving access or making changes to their restricted systems and accounts, and/or spreading malware on their computers.
Social engineering: definition and examples
Social engineering attacks can happen online (email, social media), by phone (call, SMS), and in person. Common examples include calls from people offering services, texts asking you to click a link to accept money from a person or an organization, and emails from organizations prompting you to update your credit card information after a failed payment. Do any of these sound familiar?
For the Government of Canada (GC), successful social engineering attacks could mean access to massive amounts of personal information and physical damage to the critical infrastructure that people in Canada rely on, including water, energy, healthcare, food supply chains, transportation systems and financial networks. According to a report published by the Canadian Centre for Cyber Security, from January 1 to November 16, 2021, the Cyber Centre had knowledge of 235 ransomware incidents against Canadian victims. More than half of these victims were critical infrastructure providers. In fact, in 2022, 82% of breaches involved human error (Verizon Data Breach report). Social engineering means that, when it comes to cyber attacks, people are both the weakest link and strongest safeguard. Public servants must be aware of these vulnerabilities and ready to take action.
Be the shield, not the open door
Tips to avoid falling for social engineering attacks:
- Exercise caution with messages: GC employees often are targets. Exercise caution if you get a message from an unknown sender. Sometimes, these messages can appear to be sent from the personal email address of someone you know, such as a colleague, an executive, a friend or a relative. Suspicious URLs, unexpected requests for personal information and spelling and grammar errors in the message or email address can all be signs of a social engineering attack. Always take the time to verify the identity of the email sender and any requests for personal or protected information.
- Be wary of unexpected calls: Social engineers often use phone calls to get the information they need. If you receive an unexpected call from someone claiming to be from a certain organization or company, ask for their full name and contact information. Let them know that you’re currently busy and will call back later. If you think it might be a real call, look up and call the number on the organization’s official website or contact them using any alternative methods listed on their webpage.
- Keep your personal information private: Do not share your personal information on social media (with public settings) or other online platforms. Social engineers can use this information to impersonate you, gain access to your accounts and find ways to trick you into providing the data they need to plan a cyber attack against you or people you know.
- Be aware of your emotions: With social engineering, attackers will use emotional manipulation techniques throughout their interaction with you. Their tactics seek to induce a sense of urgency, curiosity, fear, guilt, anger, surprise, greed, excitement, or sadness. If you receive a call or message asking you to click on a link or provide sensitive information, remain calm, analyze the situation, check for signs of suspicious activity and always verify the source. This will help you avoid acting out of emotion and taking risky actions.
Transcript
Descriptive transcript for Morgan’s mistake video:
[The text “Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité” appears onscreen.]
[The text “Canada School of Public Service | École de la fonction publique du Canada” appears onscreen.]
Morgan’s Mistake
Social engineering is all about deception.
[Two pieces of paper with “REAL” and "R3AL” written on them swap places.]
There are many ways to trick people into thinking things are legitimate.
[A man has a thought bubble over his head that says, “Which one is the real document?” APPEARING IN SEQUENCE: Laptop with a red warning sign, laptop with a downloading icon, “DOB: 05/21/2002,” an engineer working on a computer system.]
Using similar kinds of manipulation online has become a very successful way to get people to take actions they shouldn't take, such as clicking a malicious link, opening a malicious attachment, providing personal information, or making a change to a system they administer. Tricking people like Morgan.
[Morgan, with short blonde hair and a white shirt, sits in front of their computer.]
Meet Morgan.
[Many animated email icons fly into the back of Morgan’s computer.]
Morgan gets hundreds of emails every day.
[A laptop screen showing numerous email headings appearing one by one. Most are requests for information; some contain reports, plans or submissions, while others require Morgan to activate something. An email heading appears at the top of the inbox with “New!” next to it; a mouse pointer appears on the bottom right of the screen and moves to click the new email heading. The email opens, and they click on the link to the attachment at the centre of the page.]
Morgan received an email with a quarterly report attached. The email looked as if it had been sent from the Director’s personal account. Thinking it was about the branch's results, Morgan opened the attachment.
[A file download icon appears. The laptop screen then switches to a page with code on it and a lock unlocking in front of it.]
Once Morgan opened the attachment, the ransomware installed itself in the network, targeted a database full of important records and encrypted them.
[A threat actor in a burglar outfit appears on the left side of the screen with a speech bubble with money inside.]
The cyber threat actor demanded a ransom of more than $1 million to decrypt and restore access to the information.
[A lock appears on a laptop screen with code on it. It zooms out to show an engineer in a panic; the system is malfunctioning and a client is making an angry call to the human resources department.]
While the database was inaccessible, their department could not provide essential services to people in Canada.
[At the bottom left of the screen, a man is panicking. A thought bubble shows all of his files being compromised. Another man is calling on his phone. At the bottom right of the screen, a phone screen is showing a person using social media.]
People became worried about their personal information and service delays. They called in and commented on social media. This led to a spike in inquiries to the department, causing employees to have to work a lot of overtime.
[Three newspapers appear on screen with the titles “Government REPUTATION at Risk!”, “CYBER ATTACK” and “Hundreds of Files Lost!”]
There were news articles describing the attack and the 'embarrassing missteps' that led to it.
[Bullet points appear.]
Morgan could have kept their department safe by learning about social engineering and by recognizing the signs of a phishing scam, such as receiving correspondence at work from a personal email address with which they had not communicated before.
[Green checkmarks appear over the bullet points. Morgan is thinking; there is a grey thought bubble over their head.]
Being asked to open an attachment should have given Morgan pause. They could have confirmed whether or not the attachment was legitimate by calling their director or communicating in some other way.
Don’t take the bait. Don’t repeat Morgan’s mistake.
[This video was co-created by: Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité, Canada School of Public Service | École de la fonction publique du Canada.]
[The Government of Canada logo appears.]
Like Morgan, everyone can be a target of social engineering. So, stay vigilant and remember these signs to protect yourself and your organization from attacks. You can start by learning from Morgan and their peers in the Discover Cyber Security (DDN235) course.
Courses
- Course | Discover Cyber Security (DDN235)
- Course | Cyber Security in the GC and Online Exposure (DDN233)
- Course | Privacy in the Government of Canada (COR504)
- Course | Access to Information and Privacy Fundamentals (COR502)
Resources
- Webpage | Report a cyber incident (for both individuals and organizations)
- Webpage | Canadian Centre for Cyber Security
- Webpage | Get Cyber Safe
- Article | Don’t Be a Character in an Espionage Thriller
- Article | Level Up Your Cyber Security Skills: Stay Ahead of Evolving Threats!
- Article | Protecting Privacy in a Remote Work Environment
- Article | Fake News and Clickbait: Identifying Disinformation and Misinformation (csps-efpc.gc.ca)
