Information Technology Services
Information Technology Services

What is social engineering?

Social engineering is the art of manipulating people so they unknowingly give up confidential information. It is the exploitation of human psychology to obtain otherwise confidential information. Most prey on fear, greed, curiosity, and even your natural desire to help others.

The types of information these criminals are seeking can vary, but they are usually trying to trick you into giving over your passwords or bank information. They may also wish to gain access to your computer to install malware without your knowledge. For instance, you may get a call from someone pretending to be Microsoft asserting they have noticed a virus on your device. They establish your trust by posing as a company that you trust (Microsoft). They may then walk you through the steps of installing an "antivirus", which in actuality is malware. After the malware is installed, the criminal can gain access to your device, data, and accounts.

Why should I care? 

These "social engineers" are very good at what they do. They are experts at making you feel at ease and often do not give any indication that they are not who they claim to be. They prey on human emotion and a sense of urgency – stating, for instance, that your account will be shut down if you do not verify it within 24 hours. You may not even be aware of this manipulation until you notice suspicious activity on your device or within your accounts. 

How can I prevent a social engineering attack? 

While you can't prevent a social engineering attack, you can learn how to identify (and thus not fall victim) to them. This takes discipline and a touch of skepticism. One way to ensure you do not fall victim to a social engineering attack is to verify with the company you have received correspondence with. Do not reply to the correspondence!  Contact them directly by phone or through a means of communication you would normally use - i.e. log into their official website by typing the address into your browser's address bar.

For example, you receive a phone call from the Canada Revenue Agency requesting your Social Insurance Number to verify your account, your tax return, or personal data. To see if the request is legitimate, end the call and obtain the phone number for the CRA directly from the CRA website. From here, you can call and verify whether the earlier correspondence was legitimate or a scam. (Note: the CRA will never ask you for your SIN number as this is the only reason they know you exist – they already have it on file). 

What do I do if I've fallen victim to a social engineering attack? 

  • Don't click links in emails until you can verify their origin  
  • Change your passwords  
  • Back up your files regularly in a secure location 
  • Run an antivirus program to identify and isolate malware on your system 
  • Take your device to the IT Support Centre to ensure any malware is properly removed