Social engineering is the process of manipulating human psychology in believing that what they are doing is the right or correct thing to do, unfortunately “there is no technical defence against a social engineering attack because defeating it requires a change in human behaviour” (Alan Paller, research director at the Sans Institute).
These attacks are more commonly known as Phishing, which basically means the attacker sends you an email requesting for bank account, credit card or other financial details through what seems a legitimate email address (e.g. credit@barlcays.co.uk), with this information the attacker can either sell on your details to other criminals or use it to make fraudulent transactions anywhere in the world or clone your identity. Now with the attacks becoming more frequent and more detailed in their deception customers are urged to be on the look out and not engage in accessing links within emails that you are not sure about.
Here are some simple steps in best practice when detecting email scams.
Always verify the information source. Do not automatically reply to any email message that asks for your personal or financial information. If you feel uncertain about whether that company really needs the kind of information it is requesting, pick up the phone book and phone your usual contact, in order to check the information source.
Type the web address in your Internet browser yourself. Instead of clicking on the links in the email message, type the web address (URL) in your browser, or use a previously defined bookmark. Even web addresses that look correct in the email message can be the path to a fraudulent website.
Reinforce your security. Users making transactions through the Internet should install security suites that block this kind of threat on their computers, apply the latest security patches available through their usual vendors and make sure that they are operating in secure mode using digital certificates or communication protocols such as HTTPS.
Always ensure that you are using a secure website: the web address must begin with https:// and a little closed padlock must be displayed on the status bar of the browser.
Double-click the padlock in order to view the digital certificate that confirms the website you are accessing is actually the one you expected.
Regularly check your accounts. Monthly statements are particularly useful to detect irregular transfers and transactions, both operations that you did not make but are reflected in the statement and operations made online but not reflected in the statement.
Thanks to Panda Security for these tips.