Perpetrators of “social engineering”, including hostile states and criminal gangs, use manipulation to trick people to commit security mistakes and give away sensitive information.
They often target intended victims by gathering background information on them, including potential weaknesses in their security practices, and seek to build a relationship, sometimes posing as a potential new employer.
Their aim is to gain the trust of those with access to confidential information and then persuade them to hand it over or expose their computer networks.
“Security communications to staff have increased substantially this year whilst the department has worked remotely,” says the Treasury’s recently published annual report for 2020/21.
“Regular communications have been sent to staff, with a focus on how to be conscious of your surroundings and reinforcing information security policy whilst working outside the office. In addition, we have… delivered a bespoke briefing to senior line management on how to spot potential social engineering behaviours in their employees.”
A Treasury spokesman said: “We take steps to ensure staff are aware of potential online scams and deceptions to protect both the department and staff.”
MI5 recently warned that thousands of UK nationals have been approached on professional networking sites and other platforms by people using fake profiles linked to hostile states.
The Centre for the Protection of National Infrastructure launched a Think Before You Link campaign about measures people should take to protect against falling victim to traps.
“Criminals and hostile actors may act anonymously or dishonestly online in an attempt to connect with people who have access to valuable and sensitive information,” stressed the CPNI.
The campaign aims to raise awareness of the threats so staff can recognise malicious profiles, realise the risks, report any concerns and then remove the “social engineering” attempt from their network.