Most fraud cases affecting the UK involve the use of the internet to unlawfully obtain victims’ personal information, such as names, dates of birth, bank details and National Insurance numbers. Social engineering is one of the primary mechanisms for eliciting this information. Phishing is one of the most prevalent forms of social engineering, with fraudsters circulating malicious links or files under the guise of a legitimate email.
Social engineering attacks happen in one or more stages. A cybercriminal may first research the intended victim to gather necessary background information and potential weaknesses in security protocols needed to proceed with the cyberattack. The cybercriminal may then attempt to gain the victim’s trust and request actions that break security practices, such as revealing sensitive information or giving access to restricted systems. They may also be aware of regular payments that are due, or of the structure of teams within your organisation, enabling them to impersonate internal employees.
Employees have an important role to play in keeping themselves and their organisations secure by remembering that most cyber fraud attacks depend heavily on human interactions.
To avoid being tricked and to protect yourself and your organisation from cyber criminals, it is important to understand the different techniques cyber criminals will use.
The most common forms of social engineering are:
Phishing is when cybercriminals attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware or direct them to a malicious website. Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email.
Untargeted mass malicious emails can be sent to many people asking for sensitive information, purporting to be from, for example a bank, online shopping site or government department with the aim of obtaining your login credentials or to install malware.
Phishing emails may:
- Contain malicious attachments that they want you to open which contains malware.
- Contain a link to a malicious website, where your account name, password and security details may be requested to log on. These websites may look identical to genuine websites, however, once you have provided your personal details, they are used by the cyber-criminal to commit fraud and identity theft.
- Appear to be from a legitimate source, attempting to create trust and encourage you to reply or take the action requested in the email.
- For example, the email is sent from an email address that is similar to a genuine sender i.e. @nhscfa.g0v.uk instead of @nhscfa.gov.uk (changing to ‘o’ to a ‘zero’).
Spear phishing is a malicious email communication sent to a specific individual, organisation or business. It is a more targeted form of phishing where the email is designed to look like it is from a person the recipient knows and trusts.
Spear phishing usually follows target research where the aim could be the theft of sensitive data. The attacker may use information about the organisation or employees to make the information more realistic.
Spear phishing emails may:
- Appear to be sent from an email address the receiver knows, for example a work colleague, a more senior employee or someone from the organisation’s IT department.
- Contain information about the recipient that has been obtained from the internet such as your education and employment status. This information is known as data leakage and can make the email seem more genuine.
- Impersonate a trusted brand or people in your organisation (like the CEO), convey a sense of urgency in the subject line, motivate you to act (often by using some sort of consequence or time restriction) and direct you to click on links or download attachments.
Whaling is a highly targeted phishing attack, masquerading as a legitimate email that is aimed at senior executives. It is one of the biggest risks facing organisations and is more sophisticated than generic phishing emails and usually:
- Contains personalised information about the targeted organisation or individual.
- Are crafted with a solid understanding of business language and tone.
- Are designed to encourage victims to perform actions, such as initiating a wire transfer of funds.
- Encourages the user to click on a website to deliver malware.
- Requests additional details about the organisation or individual to conduct further attacks.
- Conveys a sense of urgency.
Smishing (SMS phishing) is a form of social engineering that exploits SMS, or text messages. It is the SMS equivalent of phishing where the malicious message appears on your phone as a text pretending to be from a genuine source. Like many scams, cyber criminals prey on real world concerns to try and trick you into interacting. They may also mimic real NHS messages.
- These text messages can contain links to malicious webpages, email addresses or phone numbers.
- Criminals can disguise their phone number to make it look like it is from a reputable source and try and convince you to click on an attached malicious link.
Vishing(Voice phishing) is a form of social engineering over the telephone. The approach may be more direct, asking you for sensitive information, such as banking details.
- These may include calls informing you that your account has been compromised, there is suspicious activity on your account or that a payment has been made to the incorrect bank details.
- These include calls from fraudsters posing as contact tracers, claiming you have come into contact with a person who has tested positive for Covid-19. To get their own test, victims are persuaded to verify their identity and share personal information including their date of birth, address, and email. At the end of the call, they’re ask to pay for their test, giving payment card details, handing the criminals enough information to defraud them.
- These scam messages can be very hard to spot. They are designed to get you to react without thinking.
- Criminals can disguise their phone number to make it look like it is from a reputable source.
Water holing is a social engineering attack that takes advantage of the amount of trust that users give to websites they regularly visit. A water-holing (or sometimes watering hole) attack is where cyber criminals attempt to compromise a specific group of people by infecting one or more websites that they are known to visit.
- The victims are usually from the same company or organisation.
- The goal is usually to gain access to that organisation’s computer network by infecting one or more users’ computers with malware.
- They are difficult to detect and typically target high-profile websites.
- Be alert to the style, tone and grammar of emails you receive, especially if the email does not address you by name (e.g. Dear Sir/ Madam).
- Never enter any personal or security information on a site accessed through a link in an email.
- Never click on links or open attachments from senders you are unsure of.
- Do not assume a sender is genuine because they know information about you or your company or because the email address looks familiar - Software is available that can alter, or “spoof” an email address in the sender line of an email. This means that when you look at the email, it appears to have been sent from a legitimate source.
- Hover the mouse over the recipient’s email address which should show the actual email address the email has come from.
Vishing & Smishing
- Do not assume a caller or a text message is genuine because they know information about you or the organisation you work for.
- If you are suspicious, terminate the call and call back using your usual contact number and not the number provided by the caller.
- Remember that your bank may ask you for some information, but will never ask you for your full password, or PIN, payment authorisation codes, provide you with details to make a payment or request that you grant them access to your systems or PC.
- The NHS will never ask you for your PIN, bank details or passwords.
- See the Malicious Websites section
- If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS) at email@example.com.
- Suspicious text messages should be forwarded to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.
Help us improve cfa.nhs.uk
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.