What is social engineering?

Social Engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes, or to encourage action that may result in loss or money or information security for your business.

Criminals use social engineering tactics as it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to persuade someone into giving you their password than it is for you to try and hack it.

There is a range of information criminals may seek however the most common include your password, your bank information or control over your computer.

What does social engineering look like?

There are some examples of high profile (and expensive) social engineering hacks but at a day to day level they may look like this:

• An email that appears to be from the owner of the business requesting urgent payment of an attached invoice
• A phone call from a long standing supplier requesting a change in bank account details over the phone.

What can you do to protect your business?

1. Education

Your people are your first and strongest line of defence. Most social engineering attempts rely on people within the business providing information or taking action that they would not ordinarily take. Providing education to employees can be simple and cheap, the following videos provide short and straightforward introductions to social engineering and how to spot a hack.
Encourage employees to check and verify requests if they are unsure or if something seems out of the ordinary.

2. Process

Establish clear processes around key risk areas for your business. These might include:

• Changing supplier details in your accounting software
• Making payments to suppliers
• Sending commercially sensitive information

Ensure that these processes are supported by a clear verification process such as a phone call or weekly check of invoices to be paid.

3. Insurance

The average cost of a cyber security incident in Australia is $250,000. Cyber Insurance can cover you for a broad range of associated costs including recovery of lost data, assistance with legal fees and costs associated with mediating an extortion attempt.

If you would like further information or assistance please contact our Audit Partner Adrian Downing on 03 5443 0344.