Explaining how social engineering is designed to consciously manipulate people to obtain information without their realising that a security breach is occurring, the booklet put together by the cyber and information security division of the MHA guides officers on how to avoid Phishing/Vishing social engineering scams, malicious websites and attempts by hackers to break into government systems by conveying a sense of urgency in sharing information.
As part of the Phishing social engineering scam, the ministry said, the hacker typically sends an email or text message to the target, seeking information that might help with a more significant crime. For instance, a hacker may send emails that appear to come from a trusted source like a bank, asking the recipient to click on a link to log in to their accounts. The link may take one to a fake website, and when they log in, they are essentially handing over their login credentials to the hacker. “So do not reveal personal, sensitive or financial information in emails or messages and do not respond to such emails,” the MHA has advised.
Such social engineering can also be done using Vishing, which uses the same Modus operandi as Phishing but involves voice. A hacker may call an officer, posing as a government officer. The hacker may prevail upon the victim to provide login credentials or other information that can be used to target the organisation. “So don’t reveal any sensitive information over phone calls,” the best practices booklet says.
Attention was also drawn to ‘quid pro quo’, another type of social engineering attack that involves exchange of information which the victim is made to believe is a fair deal but is actually meant to only benefit the hacker. For instance, a hacker may pose as an IT support technician and take control of the victim’s computer and load it with malware, steal personal information from the computer or commit identity theft.The MHA has also asked government officers to be cautious of the URL of websites, since malicious websites may look like a legitimate site but use a variation in spelling or a different domain.
Pointing to the risk of hackers sending messages conveying a false sense of urgency or using high-pressure sales tactics to force government officers to share sensitive information, the MHA has specifically directed them not to let “urgency influence your careful review”.
Further, the booklet said emails from foreign lottery or sweepstakes or requests to transfer funds from a foreigner for a share of the money were “guaranteed scams”, and asked officers not to respond and delete such emails. The ministry has also asked officers to change passwords that they may have been revealed to anyone, besides changing them for each of the other accounts that used the compromised password.