WHAT IS SOCIAL ENGINEERING
Social engineering has been misinterpreted by many people, that has led a lot of people thinking that it is just scam and try to steal something trivial. Some may refer to it as a scheme used by criminals or con artists. In addition, social engineering is also used by people every day. For example, an employee trying to get a salary raise, he/she will try wow his/her boss. Social engineering is a tool and like any tool it can be used for evil. This blogpost will explore some of the tactics that has been used by conmen and how you can avoid it or become less vulnerable to it.
According to Wikipedia:
Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information.
According to European Union Agency For Cybersecurity:
Social engineering refers to all techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.
If you blend the two definitions together, you can see that social engineering is a tactic to get people to perform an act in the way that conmen/hackers/fraudsters would like them to. And their goal is to get the victims to unknowingly hand over personal information.
Social engineering requires a lot of planning and the first step is to investigate who to target and then start gathering information of the victim. Subsequently, the attacker attempts to gain the victims trust by pretending to be someone from the organisation or somebody that you know.
PHISHING
I have explained phishing on another blogpost, click here to get an additional information on it. If someone you know has been a victim to a phishing scam, his/her data may be used to fish out information from more people. One of the most important data which fraudsters look for are contact details of people in the company. The hacker will pose as the victim and get as many people to act in the way the attacker wants them to. As a result, people will fall for this because the email that has been sent contains a legitimate email address of an employee.
If one of your lecturers sends you an email and asks you to click on a link, would you do it? Of course, you would. You will trust that the link and the sender, because the attacker has used your lecturer’s email address and the email just asks for the link to be clicked. You may not know that the link can contain a malware that can be downloaded straight onto your personal computer.
BAITING
As the name suggests, attackers try to tempt victims into giving them what he/she wants. For example, on a peer-peer networking such as Bearshare and Limewire (where illegal film downloads happen). Once the victim clicks on the link provided, a malicious software could be downloaded.
Baiting does not get confined in the cyberspace. For example, the attacker leaves a USB drive in areas where victims fall prey to. Therefore, out of curiosity the victim plugs the USB into his/her device and unknowingly install a malware on the system.
PRETEXTING
Pretexting happens when an attacker invents a fake story to persuade the victim to give his/her data. Here are some pretexting scenarios which you may or may not have heard.
- Ask you to donate to a charitable organisation
Attackers try to exploit people’s trust and kindness to get people to send them money. They can even go as far as creating a website that looks exactly like the charitable organisation they are posing for.
- Any problems that needs your personal information to be verified
The attacker tries imitating the bank that you are using and sends you an email saying that your account has a suspicious activity and asks you to log in to your online banking urgently.
- You have won the lottery!
This sounds too good to be true, a number one red flag that everybody must avoid. These types of attackers are called ‘greed phishes’. The act upon the greed of the victims because nobody would want to refuse a huge sum of money.
- Impersonating someone you know from your company
A co-worker asking you to pay for a certain specification and asks for your bank account details. Or a simple email asking for something related to the company.
QUID PRO QUO
Quid pro quo is a Latin phrase meaning in exchange or a return for something. It works just like baiting but instead of product it demands an exchange for a service. The exchange can be some type of compensation or a gift, for example, an attacker could request for the victim’s login credentials in exchange of that said gift.
VISHING
Vishing could be used by scammers to get victim’s information by posing to be the tech support of the victim’s company. They would call, claiming that something is wrong or the login credentials are not working. Once they have gained the trust of the victim, the victim will have no issue in disclosing that information with the hacker. This could be especially successful if the hacker poses to be from someone within the organisation.
HOW TO AVOID SOCIAL ENGINEERING HACKS
- Use two-way authentication
Banks usually have this, when you want to make a transaction make sure that there is another step to authenticating you – this could mean receiving an OTP (one-time password) to another device your phone via text or email account.
- Don’t open emails and attachments from unknown sources
It’s a definite red flag to never click on an email from unknown sources – this is the most common phishing attacks. Or if you get an email from someone you trust, you could easily double check with that person to see if they have sent that email to you.
- Keep your antivirus/antimalware software up to date
Make sure you enable automatic updates to keep unauthorised access away from your personal devices.
- Be careful of offers that are too good to be true
If the offer sounds too tempting. Do think twice before accepting these kinds of offer.
CONCLUSION
Scammers try to gain as much as they can through the error of humans. It is also said, that in information security, it is much more easier to try to get employees to disclose their passwords rather than to guess it (unless the password is easy to guess). Humans are the weakest link in the organisation in terms of security. Since most companies now store personal information of employees and customers online, anyone can be a target to scams therefore, be vigilant and be safe online.
If you would like to know what Cyber-Security specialist would like to say about this: click here.