Social engineering¶

Social engineering is phishing’s broader category: any attempt to manipulate a person into doing something they should not, without necessarily using email. Phone calls, in-person interactions, fake support requests, and voice phishing all fall here. The techniques are older than the internet and considerably more varied than a spoofed sender address.

Non-profit organisations are exposed to social engineering in ways that reflect their culture. A culture of helpfulness and trust, appropriate for an organisation whose mission depends on public goodwill, is also a culture that is easier to manipulate. Someone accustomed to being helpful to the public may find it genuinely difficult to challenge a confident-sounding caller who claims to be from IT support. The difficulty is not a personal failing. It is the cost of a culture that is otherwise an asset.

Vishing¶

A caller claims to be from the helpdesk, from Microsoft, from the bank, or from a government agency. They have a reason why something urgent needs to happen immediately. They need access to a system, a password reset, a payment confirmation, or for the recipient to install something that will let them fix the problem remotely.

The defence is the same as for phishing: verify through a different channel before acting. IT will never call to ask for a password. Microsoft does not call unsolicited to fix computers. If there is any uncertainty, hang up and call back on a number found independently, not one the caller provides.

Training for vishing works best through roleplay rather than description. People who have thought through how they would respond to a social engineering call are considerably better prepared than people who have only been told what one looks like. A short roleplay exercise in which one participant plays the caller and another responds is uncomfortable in the way that useful training is uncomfortable, and the discomfort is the learning.

Pretexting in person¶

Less common but worth addressing for an organisation with physical premises that the public visits. Someone claiming to be a contractor, an inspector, a volunteer, or a delivery person can sometimes gain physical access to areas where they should not be. The appropriate response is consistent access control: visitors are accompanied, credentials are checked against expectation, and unusual access requests are escalated rather than accommodated out of politeness.

The Home’s front-of-house culture, warm and accommodating by design, is worth discussing explicitly in awareness sessions. The question is not whether to be welcoming but how to maintain appropriate scepticism about identity claims without making the experience unpleasant for the ninety-nine percent of visitors who are exactly who they say they are.

Over-sharing on social media¶

Organisations that use social media actively, as most non-profits do, create a publicly available intelligence resource for anyone paying attention. Staff names, roles, projects, partner organisations, systems in use, and office locations are all useful for crafting convincing social engineering attempts. The Covenant sponsor newsletter, the Adopt-a-Legend update that names the member of the programmes team who manages the east wing, the LinkedIn post announcing the new Head of Finance: all of this is legitimate communication that also answers questions an attacker would want answered before making contact.

This is not a reason to stop communicating publicly. It is a reason to be thoughtful about what operational detail goes into public channels, and to make sure that staff with public profiles know they may receive targeted approaches because of them.

Reporting culture¶

Social engineering attempts that do not succeed are only useful if they are reported so that others can be warned. A culture where people feel comfortable saying they received a suspicious call, and here is what was said, is a more resilient organisation than one where people are too embarrassed to mention it or assume someone else will have dealt with it.

The same reporting channel used for phishing, the internal security mailbox, should be the destination for social engineering reports. A brief note about a suspicious call or visit, even if nothing came of it, creates a record and allows patterns to emerge across departments.