Social engineering¶
Social engineering is phishing’s broader category: any attempt to manipulate a person into doing something they should not, without necessarily using email. Phone calls, in-person interactions, fake support requests, and vishing (voice phishing) all fall here.
Non-profit organisations are exposed to social engineering in ways that reflect their culture. A culture of helpfulness and trust, appropriate for an organisation whose mission depends on public goodwill, is also a culture that is easier to manipulate. Someone who is accustomed to being helpful to the public may find it difficult to challenge a confident-sounding caller who claims to be from IT support.
Vishing: the phone call version¶
A caller claims to be from the helpdesk, from Microsoft, from the bank, from the pension fund, or from a government agency. They have a reason why something urgent needs to happen right now. They need access to a system, a password reset, a payment confirmation, or for the recipient to install something.
The defence is the same as for phishing: verify through a different channel before acting. IT will never call you to ask for your password. Microsoft will not call you unsolicited to fix your computer. If you are unsure, hang up and call back on a number you find independently.
Another plus for setting up a reporting tool in-house.
Training should include practice with realistic scenarios in roleplay. People who have thought through how they would respond to a social engineering attempt are better prepared than people who have only been told about it in the abstract.
Pretexting in person¶
Less common but worth noting for an organisation with physical premises that the public visits. Someone claiming to be a contractor, an inspector, a volunteer, or a delivery person can sometimes gain physical access to areas where they should not be. The response is simple access control: visitors are accompanied, credentials are checked, unusual access requests are escalated.
Over-sharing on social media¶
Organisations that use social media actively (as most non-profits do) create a publicly available intelligence resource for attackers. Staff names, roles, projects, partner organisations, systems in use, and office locations are all useful for crafting convincing social engineering attempts. This is not a reason to stop using social media, but it is a reason to be thoughtful about what operational detail is shared publicly.
The reporting culture, again¶
Social engineering attempts that do not succeed are only useful if they are reported so that others can be warned. A culture where people feel comfortable saying I got a suspicious call today, here is what happened is a more resilient organisation than one where people are too embarrassed to mention it.