Social Engineering
Social engineering involves those who want to steal data, such as health and care records, either digital or physical, by using tricks or deception to manipulate people into giving access to that data and other valuable information.
Criminals will often take weeks and months getting to know a place before even coming through the door or making a phone call.
Preparation
Their preparation might include finding your organisation’s phone list or organisation chart and researching employees on social networking sites, like LinkedIn or Facebook.
The goal is always to gain the trust of one or more employees, though a variety of means.
In the office
'Can you hold the door for me? I don’t have my key/access card on me.’
How often have you heard that in your building? Although the person asking may not seem suspicious, this is a very common tactic used by fraudsters.
On the phone
A social engineer might call and pretend to be a fellow employee, for example from your ICT department or provider, or a trusted outside authority, such as the police or an auditor.
Online
Social networking sites have opened a whole door for social engineering scams.
One of the latest scams involves the criminal posing as a Facebook ‘friend’ however, you can never be certain that the individual you are talking to on Facebook is a real person.
Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.
There are examples of many people being scammed by criminals pretending to be calling from a call centre.
For example, they may say they are calling about an online order you’ve made. If you’re expecting a delivery, it is easy to be taken in.
The criminal may already have a lot of information about you and ask you to confirm additional details about your online account, so that the order is not delayed.
If they have your email address, they may try to get you to click on a malicious link in an email they send you.
Hi. This is Mike from the ICT department. How are you?
Hi Mike. I’m fine.
We are doing some urgent updates today on the system. Can you confirm your full name so I can bring up your details?
It’s Georgina Jenkins here. I didn’t realise we had an update today.
We had a few problems last night and now need to do some urgent work which may affect your access. Can you confirm your username and password so I can make sure these are transferred when we carry out the urgent update.
Oh, of course, it’s…….
Would you disclose your username, password, email addresses or other details about where you work?
Your line manager, ICT department or provider already know a lot about you and will not need to ask these types of questions.
Similarly, calls have been made to NHS and care staff where the caller pretends to be from the ICT department or provider.
For example, the caller advises that ICT have detected some problem with the employee’s work account, which they can resolve if the employee allows them to remotely access the laptop or PC.
They may ask you to disclose your username, password, email address or other details about where you work.
Social Media
Revealing any information about your organisation on social media can be valuable to a fraudster.
It’s the office move day today so we’re having to use these stupid passes and door entry codes everywhere.
The amount of codes I have to remember these days is crazy - mine are all the same anyway!
Having to sort out all this funding today - we’ve just been awarded £1m to cut our waiting times. So guess what? I can sign off up to £50 000 now!
I can’t get in the office – can you pass me your door code?
Sure, it’s 12345.
Hola! it’s holiday time again in 24 hours. Can you do me a favour? I forgot to update Paula Trotter's record – you know my password, don’t you?
No I don’t. Can you send it to me?
It’s Katie2011.
Got it. Haha! I do that with my passwords too – name them after my kids' names.
A criminal reading the posts will gain vital intelligence about how the organisation’s processes work
What information could a criminal get?
Find out where Jill’s new office is by searching her organisation’s website, then aligning the coordinator's online pictures to that office
Gain access to Jill’s office using the door entry code
Burgle Jill’s house when she is on holiday
What could a criminal do with this information?
Install malicious software that corrupts data or prevents the organisation using it until they pay a ransom
Gain access to data to sell on to other criminals
Attempt to authorise one or more £50 000 transactions
Attempt to create a new referral to claim a personal budget
Access bank account details listed in the system, to steal a service user’s money
Email can be the most efficient option for exchanging information securely but, as with all forms of information transfer, there are risks. Hackers and criminals sometimes use unsolicited emails that contain attachments or links to try to trick people into providing access to information. This type of threat is know as phishing.
Click on a link
Click on a link that will take you to a website that looks genuine and enter sensitive or financial information about yourself, your patients, service users or organisation.
Open an attachment
Open an attachment that contains a file with an EXE extension. Know as an ‘executable’ file, if this comes from a hacker, it is likely to contain malicious software (malware) that will automatically download onto your computer.
Unknowingly install malware
Some malware can enable the hacker to steal data from your computer or your organisation’s network. Other types of malware might lock all your files and lead to your organisation being asked to pay a ransom to unlock them.
If you receive a request from a supposed colleague asking for login details or sensitive, financial or patient/service user information, you should always double-check the request with the colleague over the phone.
Equally, if you receive an unsolicited email that contains attachments or links that you have not asked for, do not open them.
Remain vigilant and report the suspicious email to your line manager, ICT department or provider.
Never give your login details to anyone.
PHISHING
Phishing is by far the biggest and easiest form of social engineering.
Criminals use phishing emails and websites to scam people on a regular basis. They are hoping that you will click on fake links to sites or open attachments so that they can steal data or install malicious software.
Aim of phishing
The aim of phishing emails is to force users to make a mistake for, example, by imitating a legitimate company’s emails or by creating a time-limited or pressurised situation.
Do not install software
Phishing email attachments or websites might ask you to enter personal information or a password, or they could start downloading and installing malware.
Do not install any new software unless you are advised to do so by your line manager, ICT department or provider.
Think – is someone trying to extract or extort information from you?
Contact your ICT department or provider
You must contact your manager and ICT department or provider for advice immediately if you:
· Are unsure about an email or think that this may be happening to you
· Have clicked on a phishing link or visited a phishing website
Hovering over the ‘From’ column is a simple way to check if an email is legitimate or not.
Is the email name and domain real? A quick online search can bring up genuine email domain names such as @Excelems.com or @xxx.gov.uk, @NHS.uk
If a source, for example your bank, does not normally send you attachments, but then sends an email with an attachment, this may be evidence of spam. High-risk attachment file types include: exe, scr, zip, com, bat.
Is the subject relevant to something that you are actually working on or is it in any way relevant to you? If not, alarm bells should start ringing.
However, it may also be that the sender has incorrectly addressed the email.
Check the address fields ‘To’ and ‘CC’, to see where the email has been sent.
If the fields contain multiple addressees (sometimes it can be 10s or even 100s), it is likely that the sender is ‘spamming’ potential targets and hoping to catch someone out. Don’t be that person.
Many hackers misspell words and use bad grammar on purpose. Emails written in bulk may have visible errors or content that doesn’t make sense.
If an email has provided you with some links and instructed you to click them, have a close look at the link’s URL. A link to a genuine website will usually be prefixed with HTTPS, as opposed to HTTP.
A website prefixed with HTTPS means it is an encrypted connection, making it well protected from, but not immune to interception. If in doubt, start a new web search on a website such as https://www.virustotal.com
A common tactic of spam emails is to alert you that you must provide or update personal information, including bank account details or an account password.
You will never legitimately be asked to provide your email login details, such as your password, by a genuine ICT department or service.
Do not reply.
Select the email, right-click it and mark it as junk.
Inform your line manager, local ICT department or service provider and they will advise on how you can block further emails from being received.
If an email has provided you with some links and instructed you to click them, check it is a legitimate website link, also known as a URL.
Hover your mouse over any URLs that the email is trying to persuade you to visit, to make sure that they are legitimate.
Macros and Malware
Macros
Macros are a series of actions that a program such as Microsoft Excel may perform to work out some formulas. Your computer will disable macros by default because they can be programmed to install malware.
Always be vigilant when enabling macros.
Do you trust the source of the document?
Malware
Malware can reside on your computer and avoid detection, making it easier for someone to be active on your system without you noticing.
To protect your organisation from this type of threat, your ICT department or provider will ensure that you have up-to-date antivirus software installed.
Malware can make computers run slowly or perform in unusual ways.
If you suspect that your computer is not performing as it normally does, contact your line manager
Good Practice
Untrusted websites
Be vigilant when you visit a website that is declared ‘untrusted’.
If a web browser states that you are about to enter an untrusted site, be very careful. It could be a fake phishing website that has been made to look genuine.
A browser may display a red padlock or a warning message stating your connection is not private.
Passwords
It is important to use strong passwords on all of your devices to prevent unauthorised access. You should also use different passwords for each account.
Creating strong passwords doesn’t need to be a daunting task if you follow some simple guidelines.
The National Cyber Security Centre (NCSC) has a range of guidance on good password management.
Consider the use of a free password manager, too. Again, the NCSC has detailed guidance on what to look for - a link to NCSC can be found in Resources.
Understanding your Environment
The environment where you access information is also important. For example, Wi-Fi hotspots in public places such as cafes, fast food chains, public transport, patients' homes, hotels and shops are not secure.
Using your home internet connection, your workplace Wi-Fi connection and your phone’s personal hotspot should be password protected.
Security measures
· Change default passwords
· Use encryption - WPA2 is a type of encryption used to secure the vast majority of Wi-Fi networks
· Use password managers
· Disable auto connect to unknown Wi-Fi networks
· Update phones and devices with latest patches
Cloud Storage
It can be the case that although the storage systems you use at home may be similar to those in your workplace, be aware of the different arrangements with regards to data security and protection. Check your local policies, or seek advice from your organisation's IT service desk or IG/data security contact.
Devices
A number of simple measures can help you to stay safe online.
You should ensure your device is kept up-to-date particularly with any security updates.
You should lock your device as soon as you stop using it. All mobile phones, laptops, PCs and tablets whether personal or not, should have a password set. If you see a colleague’s device open and unlocked, lock it for them and gently remind them to do so in future. This also applies to corporate mobile devices – activate the lock function so that a password or code is needed to unlock them.
Tip: Press the Windows key + L on your keyboard to quickly lock your laptop or PC.
A USB drive is technically a small computer. Many organisations have set their computers to ensure only encrypted organisation USB drives can be connected to them.
Even so, before using a USB drive, you should scan it to ensure that it is safe.
2. If you are permitted to use other USB drives, you should never plug a non-secure USB drive into your work computer.
This could introduce malware on to your computer and then on to the organisation’s network.
3. Similarly, you should never plug a secure USB drive into an untrusted computer because malicious software could be transferred and passed on to any other devices where you use the USB drive.
If you are unsure, ask your line manager, ICT department or your provider.
Disposal of Confidential Information
We have to be careful when disposing of any information. Much of the data that health and care organisations create and use is classed as official in the eyes of the government.
The Government defines ‘official’ as the majority of information that is created or processed by the public sector.
This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media.
Clear Desk Policy
Most organisations now have a clear desk policy or equivalent guidance which includes working from home and you need to be aware of this.
· Do not leave information such as documents that identify someone or financial details in unsecure locations
· Having a clear desk ensures that you are not potentially leaving sensitive information lying around, raising the risk of a breach
· A clear desk policy reduces the risk of data loss by ensuring no confidential or commercial information is left unattended throughout the workplace
Home Working
More of us are working from home on a regular basis. Are you aware of the data security and protection issues?
Your workspace
Your kitchen table could be your office, be mindful of work conversations in shared family spaces.
Being vigilant
At home we can sometimes drop our defences and forget that we should treat our home workspaces as much as possible like work.
Video calls
Your working environment will be visible. For example, notice boards with personal information such as bank statements, login details to personal accounts and clinic appointment letter. You should consider blurring your background in a video call or using a fake background effect.