Report Incident
× Home Cybertech Africa 2023 2 DPO Rw-CSIRT Website About Rw-CSIRT Alerts Advisories About NCSA Documentation News & Events Topics Contact us Opportunities Privacy Policy

Social engineering: How to avoid becoming a victim

Kinyarwanda version
 
What is social engineering?
 
Social engineering is the malicious actions of a cybercriminal to manipulate users into disclosing sensitive information, enabling access to data networks, or installing malware.
 
Social engineering is a significant and relevant cyber-threat, and it is uniquely dangerous as it can be initiated without advanced technology, but by any person who has a means of communication and malicious intent.
 
How is a social engineering attack committed?
 
Types of social engineering attacks that lead to disclosing sensitive information, enabling access to data networks, or installing malware include:
 
Baiting
False promises are made to lure the user.
 
Phishing
Leverages email, phone, SMS, social media or other forms of communication to trick users.
 
Spear phishing
Hackers target a specific individual or organization such as an ICT decision-maker.
 
Pretexting
Creating scenarios or pretext that are likely to convince victims into misguided action.
 
Piggybacking/Tailgating
An authorized person allows an unauthorized person access to a restricted area.
 
Scareware
Involves victims being bombarded with false alarms and fictitious threats to be prompted into action.
 
Business email compromise
The malicious actor obtains access to a business email account and lures employees into misguided action.
 
What are the signs of a social engineering attempt?
 
  • A sense of urgency or need for immediate assistance
  • The need to verify information
  • The contact is over-friendly or eager
  • The contact becomes nervous when questioned
  • The scenario seems too good to be true
  • The contact insists there will be negative consequences if he/she is ignored
 
How to avoid social engineering
 
1. Always double-check the source
 
Wherever you feel a sense of suspicion, validate the source by double-checking its credibility.
 
With an email, look at the email header and cross-check against other valid emails, over the phone, call the organization back through the phone number on their official website and ask them to validate the scenario.
 
2. Do not act quickly
 
Slow the situation down and take time to evaluate the scenario. Malicious actors know that urgency will negatively impact the ability to think clearly, taking time to think will help you to understand whether the situation could be legitimate or malicious.
 
3. Use an email spam filter
 
Specific to email phishing, a good spam filter will detect suspicious files, links or contacts. You can download a personal email spam filter online from an official vendor, or consult your organization to install an email spam filter for all employees.
 
4. Secure your devices
 
Securing your devices limits the damage a successful attack can do. Secure your devices through:
 
  • Installing ant-virus and anti-malware software
  • Running regular anti-virus scans
  • Applying device and software patches immediately
  • Applying strong authentication
 
5. Report any suspicious activity immediately
 
Whenever you encounter any suspicious activity through email, phone call, SMS or another form of communication, report this activity to the relevant authority before responding to the unknown contact. 
 
If you are an employee, report this activity to your ICT/cybersecurity team. For individuals, you can immediately report any suspicious online activity to NCSA through our toll-free number 9009.
 

11 August 2022

© 2024 National Cyber Security Authority