Home / Explore our latest insights / Are your residents vulnerable to social engineering?

Published: 28th July 2022 | In: Insights

For a while now cybercriminals have viewed the housing sector as an easier target than the private sector. Perceived to have smaller security budgets, it’s an industry that stores the personal information of hundreds of thousands or families and individuals.

Unfortunately, this makes it the ideal place in which to launch deliberate social engineering attacks that are designed to trick innocent people to give away their information. That’s not to say housing associations aren’t prepared – many have been getting ready for a while and some now have an excellent security posture.

What is a social engineering attack?

Microsoft describes social engineering as when ‘someone uses manipulation, influence or deception to get another person to release information or to perform some sort of action that benefits’ a criminal. Manipulation is the key word here.

The kind of information they’re often probing for is user IDs and passwords so that they can access the organisation’s networks. If they can get hold of email addresses or telephone numbers they could use these to attempt to obtain the more valuable data and eventually deploy ransomware – arguably the biggest danger to many organisations today. However, many criminals commonly use social engineering simply to extort money, sometimes in the form of cryptocurrency, from individuals rather than threaten an organisation.

Entry routes

Email remains the most common digital tool for social engineering, simply because most people have work and personal email addresses and, via these, criminals can ‘phish’ for more information – most will attempt the easiest route first. The idea is just to attract someone to click on a link that, unknown to them, triggers software to download to their device. The hook could be an ‘urgent’ request for them to update their password, read an important message pretending to be from their boss, a relative or a customer, or even a supplier.

Many fake emails impersonate social media sites, online shopping websites or delivery companies, which the vast majority of people use. Technology news site, TechRadar, reports that in 2021 of all brand phishing campaigns, almost 18% pretended to be from Amazon, 16.5% from DHL and 3.5% from professional networking site LinkedIn.

Social media has become another popular entry route, as have apps, including those sold or available for free on app stores. The method is the same – permit some malicious software to be downloaded to allow a criminal to access your device. Once in, they can work out how to navigate up the value chain to the housing provider’s central nervous system and ultimately freeze systems or encrypt data before demanding a hefty ransom fee.

But let’s not ignore the fact that social engineering is often very physical too. Many successful social engineers are masters of human behaviour and can get their hands on information by becoming friendly with a receptionist, secretary, security guard or other member of staff. They might be clever telephone fraudsters, perhaps using the company’s background music when they call an employee, or maybe they’ve spoofed a recognised phone number that the receiver trusts implicitly.

Why is social engineering damaging?

Once a cybercriminal has access to your residents’ devices they might disable them or encrypt their data, and only release them for a fee. They might decide to take control of their email account and use it to contact someone else for money, or send malware to an organisation – their landlord, perhaps.

Alongside the ever-present threat of social engineering lies the growing trend of cyber-attacks via third-party providers. Housing associations and public sector bodies have witnessed more of these types of threats in recent years. As a way to bypass the target organisation’s security, which is often tougher to breach, threat actors are increasingly targeting suppliers, who often have weaker defences in place.

In one case in the UK, someone breached Plentific, a digital platform that matches maintenance companies with housing associations. They copied the email addresses of an undisclosed number of residents and sent them phishing emails that impersonated maintenance firms. Residents received requests for payments in order for work to commence on their homes. In an effort to save the day, the housing providers then had to contact their tenants to advise them what to do.

How can housing associations defend their tenants?

People will always be the weakest link when it comes to any kind of cyber threat and criminals understand this better than anyone. However, with good basic security-awareness and education, they can actually be an organisation’s first and strongest line of defence. If employees, and even tenants, do the right thing then they can alert the housing association of the risk so that appropriate action can be taken fast. Therefore, both your employees and your tenants have a major role to play in manging and mitigating risks for everyone else.

Although no organisation or person can ever be 100% protected all of the time, there are several ways that housing providers can help their residents and their employees from becoming victims of social engineering traps. The best defence is a combination of security awareness training and a tailored cyber security strategy – which itself is delivered by human ingenuity and technology, not just a collection of automated anti-virus software.

According to GetApp, a software purchasing advisory company owned by Gartner, only 27% of companies provide their employees with social engineering awareness training.

But through regularly educating employees and informing tenants what tricks to look out for, and by explaining how they can report any suspicious activity, blame-free, associations can form an effective line of defence without having to invest in specialist software.

And by partnering with a certified cyber security team of experienced professionals they can significantly reduce the chances of success for any criminal that does break through, by quickly identifying incidents and responding to them with the appropriate skills and brainpower.

What else can tenants do to minimise their exposure?

Today, everyone who goes online is vulnerable to any number of potential cyber threats such as phishing. But there shouldn’t be any reason to worry. The good news is that we can all do something about it with little effort or knowledge and without spending more money. Setting up multi-factor authentication (MFA) is a great place to start. MFA adds an extra layer of security every time you log into an email account or a bank account. It’s quick and simple to use and could save enormous inconvenience and cost at a later date. The reality is that many successful cyber-attacks would have been stopped in their tracks had the organisations or people involved put MFA in place beforehand.

Take a step towards stronger cyber security today

We’ve teamed up with some of the UK’s leading housing associations to protect them from harm around the clock. To learn how we’re currently supporting Notting Hill Genesis, one of the largest in the south-east of England, take a look at our Customer Success Story

Visit our dedicated Housing Association page to read more about how Quorum Cyber can help your organisation.