2. In this lesson, you will
● Recognise how human errors pose security risks to data
● Implement strategies to minimise the risk of data being compromised
through human error
Lesson 2: Social engineering
2
Objectives
3. Which rock star are
you?
Starter activity
3
Open a web browser and type in the
following URL to find out:
ncce.io/rockstar
4. You’ve been a victim of social engineering
Starter activity
How might a hacker use the data
that you have willingly given to
them?
4
Name
Email
address
Date of birth
Mother’s maiden
name
Name of first
pet
Favourite colour
Favourite band
or artist
Data you
submitted
5. There are lots of technical ways to try and
keep data safe and secure.
Human error arguably creates the largest
risk of the data being compromised.
Social engineering is a set of methods
used by cybercriminals to deceive
individuals into handing over information
that they can use for fraudulent purposes.
Social engineering
5
Activity 1
6. What’s different about social engineering,
in comparison to other cybercrimes, is that
it is humans trying to trick or manipulate
other humans.
Social engineering
6
Activity 1
7. Shouldering (also known as
shoulder surfing) is an attack
designed to steal a victim's
password or other sensitive data.
It involves the attacker watching the
victim while they provide sensitive
information, for example, over their
shoulder. This type of attack might
be familiar; it is often used to find out
someone's PIN at a cash machine.
Shouldering
7
Activity 1
8. These are attacks in which the victim
is asked in an app or a social media
post to combine a few pieces of
information or complete a short quiz
to produce a name.
Attackers do this to find out key
pieces of information that can help
them to answer the security
questions that protect people's
accounts.
Name generator attacks
8
Activity 1
9. A phishing attack is an attack in
which the victim receives an email
disguised to look as if it has come
from a reputable source, in order to
trick them into giving up valuable
data.
The email usually provides a link to
another website where the
information can be inputted.
Phishing
9
Activity 1
http://l0g1npage.com/B3G7?id=4n
Sending similar messages by SMS is known as
smishing.
10. It is called phishing, as in ‘fishing’,
because:
● A line is thrown out into a place
where there are many potential
‘fish’ (victims)
● The line has bait on the end in
order to attract the victims
● If a victim bites (clicks the link)
they are hooked in
Phishing
10
Activity 1
11. ● Unexpected email with a request for information
● Message content contains spelling errors
● Suspicious hyperlinks in email
○ Text that is hyperlinked to a web address that contains spelling errors and/or lots of
random numbers and letters
○ Text that is hyperlinked to a domain name that you don't recognise and/or isn't
connected to the email sender
● Generic emails that don't address you by name or contain any
personal information that you would expect the sender to know
Phishing: Key indicators of a phishing email
11
Activity 1
Complete Activity 1 on your worksheet.
12. Blagging (also known as
pretexting) is an attack in which
the perpetrator invents a scenario
in order to convince the victim to
give them data or money.
This attack often requires the
attacker to maintain a
conversation with the victim until
they are persuaded to give up
whatever the attacker asked for.
Blagging
12
Activity 2
13. The following email doesn’t
contain a hyperlink to click on, but
it does include suspicious
information.
Think/write/pair/share:
Try to find a minimum of three
things that make this email
suspicious.
Complete this on your
worksheet.
Blagging
13
Activity 2
14. ● Suspicious code in email
(‘Dear <name?>’)
Blagging
14
Activity 2
● Spelling mistakes (‘deer
friend’)
● Unusual use of English (‘a
excitable business
opportunity’)
16. Phishing or blagging?
16
Watch this video
Questions
What is the difference between
phishing and blagging?
Was what happens on this video
phishing or blagging?
What about the email made it
suspicious?
Activity 2
17. Put yourself in the shoes of the
cybersecurity team of a national
bank. Your job is to try to prevent
your customers becoming victims of
social engineering.
Complete tasks 4.1 and 4.2 on your
worksheet.
Protecting your customers
17
Activity 3
18. Use the worksheet to complete the
multiple-choice questions.
Plenary questions
18
Plenary
19. In this lesson, you...
Recognised that human errors pose
security risks to data
Looked at strategies to minimise the
risk of data being compromised
through human error
Next lesson
19
Next lesson, you will…
Look at common methods used by
hackers and what laws are in place
to act as deterrents
Summary
Editor's Notes
Last updated 21-05-21
Resources are updated regularly — the latest version is available at: ncce.io/tcc.
This resource is licensed under the Open Government Licence, version 3. For more information on this licence, see ncce.io/ogl.
Highlight to the learners that when setting up accounts you are often asked security questions so that if they forget their password they can be asked questions that will allow them to reset their password and gain access to the account. This data might also help cyber criminals guess your passwords or even perform identity theft.
Image source: https://pixabay.com/illustrations/hack-hacker-elite-hacking-exploits-813290/
Bank logo image source: https://pixabay.com/vectors/administration-banking-college-152960/