Lesson video

- Hello, and welcome to lesson two of cybersecurity.

Now, this unit is all to do with social engineering.

All you'll need for this lesson is your computer, a web browser.

Other than that, if you can clear away any distractions that you might have, turn your mobile phone off, and hopefully you can find a nice, quiet place to work.

And when you're ready, let's begin.

So to get going with this lesson, we've got an activity for you to do straight away.

Now, I really wanna find out what rock star you are most like.

So to do this, you need to open the web browser.

So, a new tab in your web browser.

And if you type in the following URL to find out, and then answer some questions, and it'll tell you what rock star you are.

So please ask your parents to care for permission before doing this, but have a go at that if you do have permission, and then unpause the video when you know which rock star you are.

So how did you get on with that? Which rock star you most to like? Or have you just found out that you've been a victim to a social engineering attack? Well, actually you don't need to worry, because this is my programme, and non-dual data is being stored by me and it's not being sent away anywhere either.

So everything that you submitted didn't go anywhere.

So not to worry.

However, if that was a real programme created by an actual hacker, then this is the information that you just gave them.

You just gave them your name, date of birth, favourite band or artists, mother's maiden name, favourite colour, name of first pet, and email address.

Now, I'd just like to take a moment to think about that, and what could a hacker do with that information? And we talked about profiling in lesson one.

So yes, you could argue that could form a bit of a profile about you, which would be interesting, but I suppose more importantly, have you ever forgotten your password for an account? And then you clicked on forgotten my password, and they asked you some security questions.

I wonder whether whether or not they'd be able to answer your security questions with the data that you just gave them.

And if they could, then they've got access to your account, and they've got access to more of your data.

So we need to be really careful about this kind of thing.

So that's brings us nicely into what the lesson is about today.

So this lesson we're going to recognise how human areas pose security risk to data.

That's suppose essentially how we pose security risks to our data, and to implement strategies to minimise the risk of data being compromised, so essentially our error or human error.

So, this lesson is to do with social engineering.

So, let's explore what social engineering is.

So, there are lots of technical ways to try and keep data safe and secure.

But what I mean by that is technical things we can do with software.

However, human error arguably creates the largest risk to data being compromised.

So social engineering is a set of methods used by cybercriminals to deceive individuals in the handing over information that can be used for fraudulent purposes.

So what's very important about this? And what's different about social engineering in comparison to other cybercrimes that might include those software things that can be done to compromise data or get access to data or infiltrate networks is that social engineering is humans trying to trick or manipulate other humans.

So it's a direct pathway between the cybercriminals doing a human activity to try and manipulate you as another human user to give away data that will be crucial to them.

So we're gonna explore some of those methods now.

And one of them is called shouldering.

I can probably guess what shouldering is through the name of it on the image on the screen there, but shouldering, which is also, you might've heard of it called shoulder surfing is an attack designed to steal a victim's password or other sensitive data.

Now, essentially it involves the attacker watching the victim whilst they provide sensitive information, for example, over their shoulder.

So you might have even been a kind of a victim of this too, or kind of a joke thing that your friends might have done.

Maybe they looked over your shoulder while you were trying to type in your password at school.

That would be a similar kind of concept to shouldering, but you might've also heard of it where people look over people's shoulders whilst to type in their pin for their credit card when they're at a cash machine.

So it doesn't necessarily have to physically be over the shoulder either.

It might be somebody placing a discreet webcam that can see what you're typing in.

So again, it'd be a human looking at the results at webcam to work out what you've done and worked out what password you put in.

So let's move on to the next one.

So the next one is a name generator attack.

Now, you'll be familiar with this, because this was the attack that you might have fall a to victim to right at the beginning of this lesson.

So these are tasks in which a victim is asked in an app or a social media post to combine a few pieces of information or to complete a short quiz to produce a name.

So attackers do this as we discussed to find out key pieces of information that'll help them answer security questions to protect people's accounts.

So you often find those on social media platforms as well.

So, be super careful when you're looking at what those quizzes and think, why would somebody be asking me to do this? I mean, what's in it for them.

And often if it's free, there might be govern your data.

It might be for, to sell onto somebody.

It might be for illegal purposes too.

Now the next form is called phishing.

Now notice how I spelled that, is with a PH and not an F, however, there's a deliberate reason why the spell may similar sound the same, because of a phishing attack is an attack in which a victim receives an email disguised to look as if it come from a reputable source in order to trick them into giving up valuable data.

So for example, you might get an email from someone that you've got an account with.

It might be your bank.

It might be the social media company or your email provider, somebody like that.

It might look like it's come from them, but actually it's not.

They're trying to trick you into clicking a link that will take you to a page that might trick you into giving more information away.

So, the email usually provides a link to another email where information can be inputted.

Now, I want you to make notes of what you can see on the screen there, 'cause it says the example that I've got, it says dear user.

So notice something a bit suspicious about that.

There appears to be an issue with your accounts and your more recent payments has been cancelled.

Please log in here.

So there's a hyperlink in the email, to re-enter your payment details.

And then also I've highlighted what the link would be.

'Cause a nice little tip is, if you move your mouse over a hyperlink, often you can see what the link's going to be.

Or even you can right click and copy the link and have a look at it and explore it.

Now you might notice that it doesn't look like a normal hyperlink, something that takes you somewhere that you would expect it to take you to.

So just be wary of that.

And we'll look at some tips in just a minute.

Now, like I said to you, before phishing is called phishing, because it's meant to sound like fish fishing.

Because the similarities are, so it's called phishing, 'cause a line is thrown out in place where there are many potential victims. So the email is sent out to lots of people.

But again, similarity to fishing is a line is flown out to a pond where there's lots of fish, shows a similar kind of concept.

The line has bait on the end of it in order to attract the victims. So it has something believable about it.

So, a fish hooks into bites, some bait that you put in the end of it, 'cause it looks like real fish food for them and they eat it, and then they're reeled in.

So what happens is the email is sent out, and it's meant to be believable, 'cause it may well be from your actual bank.

Or it might be from a company that you hold an account with, and it might cause you to think, oh, I need to take action.

So that is the bait being thrown out.

And the victim biting is them clicking the link and then submitting the details.

So they are hooked in.

So let's look at some tips or some key indicators of how we might be able to determine whether an email is a phishing email or not.

So first of all, it might be unexpected email with a request for information.

So, we're not expecting an email from a bank for example, but I've received one asking for my information, and it might trigger, oh, that's a bit strange, but it might also trigger worry as well.

The other point is the message could contain, but not always, it might contain spelling errors.

So again, both these things we've mentioned so far, the kind of things might trigger that something's not quite right about this email.

And overall, even though we can talk about the next things, if something doesn't quite feel right, often it's not quite right.

So we might just want to go to the company directly or the bank or whoever it might be, email them, or log into your account separately from clicking the link.

And that might be a way in which we can stop ourselves from becoming victims for a phishing attack.

So, another reason is another indicator, sorry, is suspicious hyperlinks in the email.

Like I showed you on the previous slider, and then a hyperlink that doesn't look quite right.

There also the web address might contain spelling errors.

So if it's your bank, the bank might not be spelled correctly.

Or it might just be a random domain name with random letters and numbers that don't quite look normal.

And then finally, maybe generic emails that don't address you by name or contain any of your personal information that perhaps you'd expect the sender to know.

So now we've looked at key indicators, what your task is now is to give people advice on how to stop themselves becoming victims of a phishing attack.

So I'd like to pause this video in a moment.

I'd like to open up your worksheet and head over to task one where you're going to give advice on how to avoid becoming a victim of a phishing attack.

So, pause out to do that, and I'll be here when you get back.

So the next form of social engineering that we're gonna look up is known as blagging.

Now, blagging is really similar to phishing, but it is significantly different.

So blagging also known as pretexting is an attack in which the perpetrator invents a scenario in order to convince the victim to give them data or money.

So, this attack often requires the attacker to maintain a conversation with the victim until they're persuaded to give up whatever the attacker has asked for.

Now, I suppose some kind of similarity here is we're seeing in the form of an email.

Now, blagging doesn't necessarily have to be email.

It might be over the telephone or another medium, but it can certainly be an email.

So that's where the similarity of phishing comes in.

But the difference is maintaining a conversation.

Whereas phishing is a random email that thrown out hoping that the victim clicks a link.

With blagging is trying to encourage you to respond to the email.

And then a conversation can take place where they're going to try and trick you to part with some data or money.

So let's have a look at this email.

I'd like to pause the video a second.

I'd like to read through this email, and maybe think about what feels suspicious about this email.

So read through it.

And every time you think something suspicious, just make a note of it in your mind and then unpause when you think you've got all the things that are slightly unusual about this email.

So let's see if you've got the same as what I got.

So I'm gonna underline them.

So these are all the things that I found a bit strange about the email.

Did you get the same things? So let's go through what they are.

Now blagging.

So the first one, I noticed that there was suspicious code in the email, for example, dear, and then with the braces around that name and with the question mark, that seemed to me that maybe some codings gone wrong, something suspicious, by either way is not addressing me by names, that feel slightly odd.

Also, there were a few examples of spelling mistakes in there.

For example, deer friends, spelled D-E-E-R not D-E-A-R friend there.

And also what I thought was strange about it was there's some unusual use of English.

For example, an excitable business opportunity, it's not any spelling mistakes, but it's not normal English that we would expect.

And it says, please be as kind to email me back, I look forward to you respond.

Doesn't quite feel right.

So all those things together, you can see a conversations meant to be taking place there, because they're offering me an excitable business opportunity.

They want me to feel encouraged and respond to them and find out a little bit more about what that business opportunity is.

However, there's loads of indicators in there that should make me feel bit wary about what's the purpose of the email is in the first place.

So your next task is to do with protecting your customers.

So, you've got to put yourselves in the shoes of a cybersecurity team for national bank.

So your job is to try and protect your customers becoming victims of a social engineering attack.

So what you need to do is you need to head over to your worksheet again and complete task two, part one and two on your worksheet.

So, there's more than one task to do with task two.

There's a part one and the part two.

So again, if you'd like to pause the video, have a go at those activities, and when you've done that, then you can restart the video.

So that's all for this lesson.

And I really hope that you've enjoyed learning about all those social engineering techniques that cybercriminals use to steal your data.

But hopefully also you feel equipped to be able to recognise them when you might be a potential victim to a social engineering attack.

So, I really hope that you want to share your work with us.

I would really love to see the advice that you were giving on your worksheets.

And if you'd like to do that, please ask your parents or carer to share your work on Instagram, Facebook, or Twitter using @oaknational and #learnwithoak.

So, next lesson we'll look at hacking.

And I look forward to seeing you then.

So, bye.