Experts say the government should get involved with tackling the challenge of social engineering scams
Research just published claims to show that more than £21 million has been lost in the UK to social engineering scams in the first five months of the year - with around 23 percent of people in the UK having received a cold call requesting personal or financial information.
To raise awareness of the issue, Get Safe Online (GSO) - the Internet safety and security agency - has produced a new series of informative videos offering advice and tips.
According to GSO – a sponsored agency that seeks to promote education on Internet safety - social engineering is the use of deceit to manipulate or trick victims into certain actions including divulging personal or financial information.
Examples, says the agency, include phishing emails and fraudulent phone calls asking for personal or financial information - known as vishing - or phone calls from fraudsters impersonating computer technical support agents.
Tony Neate, the agency's chief executive - who helped set up GSO in the mid-2000s after a lengthy career in the Police – says it is important that the public are aware of what social engineering actually is, as there are so many types which can lead to the theft of your money or identity.
It can be easy to fall prey to social engineering, he says, as schemes can be elaborate and highly convincing, with approaches usually made by somebody you think you should trust or who appears to be in authority.
"It's not just individuals who are likely victims, it's also businesses. We hope that by raising awareness of how to avoid becoming a victim of social engineering through our online videos and activity with our partners, we can help prevent it from happening to others," he explained.
The Head of the NFIB and Action Fraud, detective superintendent Peter O'Doherty, said that the face of crime has significantly changed in recent years, with much of today's offending being conducted over the phone and through a computer rather than face-to-face.
"People need to be aware there are ruthless, calculating criminals using social engineering scams to obtain personal and financial information that makes them a profit and makes individuals and businesses victims of crime. This multimedia Get Safe Online campaign will shine a light on these practices and help the public know when they are being targeted and the best ways to protect themselves," he explained.
Commenting on GSO's latest Internet user education move, Professor John Walker, a visiting professor with Nottingham Trent University's School of Science and Technology, said that social engineer attacks are popular, simply because cyber-criminals have a lot of attack surface area to exploit.
"They don't have to get that high a success rate before they generate the required revenue from their scams," he said, adding that the government, rather than sponsored agencies like GSO, needs to tackle what has become a growing problem.
The problem with the current government and its security education efforts, he noted, is that we are in a situation of the ill-informed talking to the uninformed, with predictable consequences.
"And we're not just talking about money here. Some of these scams have wiped out people's life savings and have directly affected people's health. It really is a serious problem," he explained.
Peter Wood, CEO of pen-testing specialist First Base Technologies, said that social engineering is now a continuing attack model that originally centered on home users of the Internet, but is now expanding into business attacks.
The good news, he says, is that his team at First Base is now starting to see a lot better awareness of the problem among clients, as their understanding of the threat has risen in recent times.
"It was the same with ISO 27001 - people gave us blank looks when we mentioned it. Now they understand and specifically ask for social engineering testing as part of their pen testing processes, which is good news," he said.
Tim Keanini, CTO with Lancope picked up on Walker's suggestion that government needs to act on the issue.
"I think it is worth pointing out that if we include the fraud that occurs online with email phishing, txt, instant messaging, online dating, and factor in that a certain percentage of these victims are still unreported, these numbers could easily approach 40 percent of the population," he said, adding that businesses need to establish - as a part of new customer enrolment - social and technical means of authenticating the communication.
"If not, it is just too easy for these attackers to impersonate that business and make these customers victims,” he explained.
Mark Sparshott, EMEA director at Proofpoint, said that the old 'vishing' (voice phishing) attacks have given way to large-scale email based social engineering attacks - most of which start with spear-phishing, long-lining and phishing emails - and which are so sophisticated they fool security software and humans alike into thinking the emails are genuine and that the malicious Web sites they link to harmless.
"The most successful email lures are social networking, preying on the human desire for social interaction and belonging, financial account warnings and order confirmations (preying on the desire for financial stability) and breaking news stories (preying on human curiosity and compassion). However, fake LinkedIn Invitations are by far the most dangerous - achieving a click rate 4x that of any other type of email lure," he said, adding that Proofpoint's advice is to 'think before you click.'