Lesson video
In progress...Loading...
Hello.
My name's Mrs. Jones, and I'm really pleased that you've decided to learn with me today.
We're going to continue looking at cybersecurity and social engineering.
So let's get started.
Welcome to today's lesson from the unit "Introduction to cybersecurity." Today's lesson is called "Social engineering." And by the end of this lesson, you'll be able to describe how social engineering is used to steal data and the steps that can be taken to stop it.
There are four keywords in today's lesson.
Social engineering, the process of tricking people to reveal data that should be kept private.
Name generator attacks is a method of collecting personal data by asking questions under the guise of generating a fun name.
Phishing is messages or communication made to look like it is from an expected sender but linking to a website that steals data.
And blagging.
Blagging is creating a story to trick someone into giving away their information or money.
There are three areas of today's lesson.
Describe social engineering, Methods of social engineering, and Explain how social engineering can be prevented.
So let's get started with Describe social engineering.
There are technical and non-technical ways that someone can try to get your personal data.
People can give someone access to their accounts or devices by mistake, and this is known as human error.
An example of this is leaving your computer switched on when you're away from it, and this gives other people easy access to your device.
Cybercriminals use social engineering methods to deceive people into revealing personal data.
They use tricks to get key personal data from you or to access your device.
Cybercriminals use this stolen data for their personal gain or to cause harm.
This is an example here.
Andeep is asking, "I cannot get into my email at the moment.
Can I use your computer quickly?" And that is an example of how social engineering methods can be used to access your device.
Unlike most other cybercrimes, social engineering is a human trying to trick or manipulate other humans.
Another example here, Lucas, "It's about people, with and without technology, manipulating people's emotions and trust to get information that they want." So let's have a quick check.
True or false? Social engineering tactics always use technology to get your personal data.
Pause the video before you think about your answer.
Let's check your answer.
The answer is false.
Social engineering uses a range of tactics, both with and without technology, to trick you into revealing personal data.
Well done if you got that right.
Let's have another check.
What term describes the set of methods cybercriminals use to deceive people into handing over information for fraudulent purposes? Is it A, cybercrime? B, human error? C, social media? Or D, social engineering? Pause the video before I reveal the answer.
Let's check your answer.
The answer is D, social engineering.
Well done if you got that right.
A person may try to manipulate you without using technology.
They may exploit your emotions or trust.
For example, someone may pretend to be your friend, use a scare tactic, or make you feel sorry for them to get you to give them personal data or access to a device.
Lucas here is saying, "Excuse me, I'm sorry to bother you.
I have lost my wallet and my phone.
I'm completely stranded and I don't know what to do.
I'm trying to get home to my sick grandmother, but I don't have any money or a way to contact anyone.
Could I possibly use your phone so I can call someone for help?" That is an example of how easy it would be to ask to borrow your phone, and you have given access to a device to somebody else.
The same tactics may be used with technology, but in this case, the person trying to manipulate you is hidden from you.
This example shows, "This is your bank and we have noticed some suspicious activity on your account.
Click here to verify your identity and stop your account from being frozen." This activity uses the worksheet, and you'll need that to be able to answer this fill-in-the-blanks.
Pause the video, use the worksheet, and then we'll go through the answers.
Let's check your answers.
Social engineering is the act of manipulating people into doing something they shouldn't by exploiting their emotions or trust.
This can be done with or without technology.
Well done if you got that correct.
Let's go on to the second part of today's lesson, Methods of social engineering.
Social engineering methods are used to trick you.
These are some to be aware of.
Name generator attacks, blagging, phishing, and shouldering.
Shouldering, also known as shoulder surfing, is an attack designed to steal a victim's password or other sensitive data.
It involves the attacker watching the victim while they provide sensitive information, for example, by looking over their shoulder.
It is often used to get someone's PIN at a cash machine or password as they enter it on a computer.
Name generator attacks often appear in apps or social media posts.
They tempt the victim to answer personal questions in order to produce a fun name or fun characteristic about you.
From these seemingly fun questions, attackers get key pieces of information about you.
This helps them to answer the security questions that protect your accounts elsewhere.
In a phishing attack, the victim receives an email designed to look as if it has come from a reputable source.
The email usually provides a link to a fake website, then asks you to enter valuable personal data.
This one on the right here has a subject of Payment issue.
"Dear user, there appears to be an issue with your account and your most recent payment has been cancelled.
Please log in here to re-enter your payment details.
Sincerely, Account Manager." The name "phishing" is similar to "fishing" because a line is cast into a place where many potential fish, victims, are.
The line has bait to attract victims. And if a victim bites, as in clicking the link, they have been caught.
Let's look how to spot a phishing email.
It's an unexpected email with a request for information.
It creates a sense of urgency.
It might have suspicious hyperlinks.
The hyperlinked web address will often contain spelling errors and or lots of random numbers and letters.
You can see an example on the right there.
When you hover over that here, that is the link that appears.
The hyperlink goes to a domain name that you do not recognise or is not connected to the email sender.
Generic emails that do not address you by name or use any personal information that you would expect the sender to know is also another way to spot a phishing email.
And on this one, you can see "Dear user" and from the "Account Manager." Very generic.
Blagging attacks are when a person invents a scenario to convince the victim to give them data or money.
This example shows, "Dear customer, there's been suspicious activity on your bank account.
To confirm your account activity, please reply with your full name, account number, and date of birth.
Failure to respond will result in a temporary suspension of your account.
Sincerely, Account Manager." Blagging often involves the attacker keeping a conversation going with the victim until they are convinced to give them what the attacker wants.
Let's have a check.
Which social engineering attack requires someone to fill in personal data as part of an online quiz to generate a fun name? Is it A, blagging? B, name generator attack? Or C, phishing? Pause the video and then I'll show the answer.
Let's check your answer.
It was B, name generator attack.
Well done if you got that correct.
Let's have another check.
Which social engineering attack requires a user to click a link in an email and enter personal details? Is it A, blagging? B, name generator attack? Or C, phishing? Pause the video again before I reveal the answer.
Let's check your answer.
It was C, phishing.
Well done if you got that correct.
You'll need your worksheet again now.
And this activity gives you an email.
You've received this email.
Which type of social engineering is this? And how can you tell this is not a legitimate email? Pause the video, use your worksheet, and then we'll go through the answers.
Let's have a look at the answers.
This was an example of phishing.
How can we tell this is not a legitimate email? Well, no name was used.
There was an urgency to complete.
And the link to click to enter payment details was there too.
Well done if you got those correct.
You'll need your worksheet again for this one.
This email is an example of blagging.
It does not contain a hyperlink to click on.
Underline the parts of the email that make it suspicious and complete the table to give your reasons why it is suspicious.
Pause the video, use your worksheet, and then we'll go through the answers.
Let's have a look at the answers.
Number one here, we have a generic greeting.
It says, "Dear Customer." Number two, it creates a sense of urgency to react and protect your bank account because it's saying there has been some suspicious activity on your bank account.
Number three, a request to reply to the email to give personal data.
So it's asking for the full name, account number, and date of birth.
These things help get a conversation going, asking for those details.
Well done if you got that correct.
Let's have a look at the last section.
Explain how social engineering can be prevented.
When people know about social engineering methods, they can protect themselves.
Education and training can help people stay safe.
How can you help others stay safe and prevent them from becoming victims of social engineering? Aisha's asking, "How do I stay safe from shouldering?" And Alex says, "Check no one is looking when you enter a password or a PIN number." Knowing what shouldering is can make you aware of who is around you when you enter personal data.
You should always make sure no one is watching you.
How would you advise others to identify a phishing email? Sam's asking, "What makes this email suspicious?" "Dear Sir or Madam, we've noticed an irregular payment on your account and have blocked any future payments.
Please click here to unblock your account.
Yours sincerely, the security team." Jacob responds by saying, " 'Unblock your account,' by saying this, gives a sense of urgency and there's a link for you to enter personal data.
The URL does not look right either." Think about how you can tell others about name generator attacks and how to stay safe.
Andeep says, "I like the funny quizzes on social media, but how do I know if they are safe to play?" And Laura responds by saying, "Always check what questions it asks to make sure you are not giving away personal data." How can you help others identify when someone is using blagging to get you to reveal personal data? Alex is saying, "This email says I have won a tablet computer.
All I have to do is email back with my details and they'll send it to me.
Should I reply?" And the email on the right says, "Congratulations, you have won a new tablet computer.
To claim your prize, reply to this email with your name and address.
Yours sincerely, UKCompetitions." And Jun is responding here, "If you entered a competition, they'd have your details.
They haven't used your name and the company is not specific.
Do not reply." Some general advice for avoiding social engineering attacks that use technology includes.
Aisha says, "Think before you click." And Sam said, "Don't give out personal data." Andeep says, "Be sceptical about urgent requests." And Lucas says, "If it doesn't look right, stop." Let's have a quick check.
A friend advises you to check you are not being watched when entering a password.
Which social engineering method are they talking about? Is it A, blagging? B, phishing? C, shouldering? Or D, name generator attack? Pause the video and have a think about your answer.
Let's check your answer.
The answer is C, shouldering.
Well done if you got that correct.
Another check.
A friend advises you to not click links in emails asking for personal data.
Which social engineering method are they talking about? Is it A, blagging? B, phishing? C, shouldering? Or D, name generator attack? Pause the video and think about your answer.
Let's check your answer.
It was B, phishing.
Well done if you got that correct.
You'll need your worksheet again now.
What advice would you give to someone to help them avoid being a victim of these social engineering attacks? There is a table to fill out with, on the left, blagging, phishing, name generator attack, and shouldering.
And use the space on the right to write your answers in.
Pause the video and use your worksheet and then we'll go through the answers.
Let's check your answers.
Blagging.
Do not give personal data to anyone in person or via email if you do not know who the person is or who the email is from.
Phishing.
Do not click a link in an email when it asks you to log in or give personal data.
Name generator attack.
Do not fill out any online quiz that asks you to enter personal data.
And shouldering.
Do not enter your PIN or passwords with someone near you or watching you.
Well done if you got that correct.
Let's look at the next one.
You'll need your worksheet again.
What general advice would you give someone to help them stay safe from social engineering attacks online? Is there anything else you would include? Pause the video and then we'll go through the answers.
You'll need your worksheet, remember, for this task again.
Let's have a look at the answers.
My general advice would be to think before clicking, do not give out personal data easily, be sceptical of urgent requests, and if it does not look right, stop! I'd also describe the different methods and how to prevent them.
I may also show them examples of emails so they can see how to identify a phishing or blagging email.
Well done if you got that correct.
In summary, social engineering is a range of methods used by criminals to gain personal data from people, sometimes using technology and sometimes not.
Some common methods are shouldering, blagging, phishing, and name generator attacks.
To stay safe, everyone should know about the different methods and how to identify them.
You should always think before giving away or entering any personal data.
