Kinyarwanda version

What is social engineering?

Social engineering is the malicious actions of a cybercriminal to manipulate users into disclosing sensitive information, enabling access to data networks, or installing malware.

Social engineering is a significant and relevant cyber-threat, and it is uniquely dangerous as it can be initiated without advanced technology, but by any person who has a means of communication and malicious intent.

How is a social engineering attack committed?

Types of social engineering attacks that lead to disclosing sensitive information, enabling access to data networks, or installing malware include:

Baiting

False promises are made to lure the user.

Phishing

Leverages email, phone, SMS, social media or other forms of communication to trick users.

Spear phishing

Hackers target a specific individual or organization such as an ICT decision-maker.

Pretexting

Creating scenarios or pretext that are likely to convince victims into misguided action.

Piggybacking/Tailgating

An authorized person allows an unauthorized person access to a restricted area.

Scareware

Involves victims being bombarded with false alarms and fictitious threats to be prompted into action.

Business email compromise

The malicious actor obtains access to a business email account and lures employees into misguided action.

What are the signs of a social engineering attempt?

• A sense of urgency or need for immediate assistance

• The need to verify information

• The contact is over-friendly or eager

• The contact becomes nervous when questioned

• The scenario seems too good to be true

• The contact insists there will be negative consequences if he/she is ignored

How to avoid social engineering

1. Always double-check the source

Wherever you feel a sense of suspicion, validate the source by double-checking its credibility.

With an email, look at the email header and cross-check against other valid emails, over the phone, call the organization back through the phone number on their official website and ask them to validate the scenario.

2. Do not act quickly

Slow the situation down and take time to evaluate the scenario. Malicious actors know that urgency will negatively impact the ability to think clearly, taking time to think will help you to understand whether the situation could be legitimate or malicious.

3. Use an email spam filter

Specific to email phishing, a good spam filter will detect suspicious files, links or contacts. You can download a personal email spam filter online from an official vendor, or consult your organization to install an email spam filter for all employees.

4. Secure your devices

Securing your devices limits the damage a successful attack can do. Secure your devices through:

• Installing ant-virus and anti-malware software

• Running regular anti-virus scans

• Applying device and software patches immediately

• Applying strong authentication

5. Report any suspicious activity immediately

Whenever you encounter any suspicious activity through email, phone call, SMS or another form of communication, report this activity to the relevant authority before responding to the unknown contact. 

If you are an employee, report this activity to your ICT/cybersecurity team. For individuals, you can immediately report any suspicious online activity to NCSA through our toll-free number 9009.