Skip to Main Content

Digital Security and Privacy

Understanding Non-Technical Attack Risks


CC BY-SA Scott Evans

This guide mostly covers traditional hacking and surveillance risks as commonly imagined, but the most frequent case of illicit access to data is actually through phishing and social engineering, causing the victim to willingly give their password to their attacker.

Social Engineering

Social engineering (social hacking) is a wide range of real-world strategies based on social interactions and impersonation aiming to obtain access to accounts or services such as payment, physical access to locations or other privileges. This can include pretending to be new colleagues, distant authorities, or relatives of co-workers.

  • If a colleague or superior contacts you using an external e-mail address, there is a very strong risk of impersonation.
  • Corporate e-mail addresses can be also be easily usurped.
    • If a colleague or superior asks for an unusual service through an e-mail, check with them through a phone call before performing it.
    • Do not use a phone number they gave you in their e-mail, but only numbers you already know about or found on the internal directory.
  • Someone you do not personally know posing as an authority requiring urgent service should not be trusted unless you can actually verify their identity and status. Fear is a tool that can be used against you.
  • A phone call from someone you do not personally know in a very stressful situation (emergency, crying baby, etc.) should not make you abandon basic verifications and other security practices. Empathy can be used against you.
  • Someone you do not personally know asking questions about the organisation, its facilities, or its systems should also be a red flag.

Security Questions

Social hacking is one reason why security questions are not safe, and you should avoid replying to them. People can find information about your first pet's name, your mother's maiden name, your favourite food or city, etc. over conversations, social media, and viral posts/questionnaires asking for such information.

If security questions are required by a service you are using, you should lie rather than give information someone else could research, and remember your lies. You can consider this a secondary password field rather than an actual question.

Be wary of any social media posts where you are asked to share personal data, such as "Pay tribute to your first pet" or "What would your fantasy name be based on your date of birth?" and do not participate. These are exploited to answer security questions and get access to your accounts.