ASD continues to see cybersecurity incidents using social engineering techniques. This is when cybercriminals pretend to be someone you know or trust, tricking you into revealing sensitive information or doing something that breaches online security. They may ask you to change account details, reset passwords, update emails, or they could ask you to send money to a new bank account.
While anyone can fall victim to social engineering, cybercriminals have targeted high profile individuals, senior managers and their staff, IT service desks and corporate staff such as human resources or finance.
To help protect organisations, staff should:
- Be cautious of clicking on attachments or website links including those in calendar invites or messaging applications, especially if the communication is unexpected or from an unknown sender.
- Never let urgency override security.
- Treat any request to change system configurations, run code or alter security settings as highly suspicious. The legitimacy of these requests should be verified independently.
- Be cautious of requests for sensitive information from people that you do not interact with regularly. Even if the requestor is known, consider whether they have a legitimate need-to-know for that information.
- Avoid disclosing passwords to others.
- Be mindful of what you share online and consider limiting the personal details you
post. Malicious actors can use this information to impersonate you or make their approach seem more believable.
See Social engineering | Cyber.gov.au for more detail.
Kate WoodbridgeManaging Director and Founder