SOCIAL ENGINEERING

In the context of Information Security, Social Engineering is the psychological manipulation of people into divulging confidential information that may be used for fraudulent purposes. This includes a broad range of malicious activities accomplished through human interactions. It is to use psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering attacks could employ various strategies. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Afterward, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices which include revealing sensitive information.

Social Engineering is executed in four major steps.

1.  The attacker prepares the base for the attack by gathering the victim’s background information and identifying the various ways of attacking.

2.   Deceiving the victim to gain the foothold by engaging the target, taking control over interactions etc.

3.    Play with the victim by disrupting business by means of executing the attack.

4.    Closing  interactions ideally without arousing suspicion

How Social Engineering Attack Looks like?

Email from a trusted source

Phishing attacks are a subset of social engineering strategy that imitates a trusted source and concocts a seemingly logical scenario for handing over login credentials or other sensitive personal data. According to Webroot data, financial institutions represent the vast majority of impersonated companies and, according to Verizon's annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting (see below) are responsible for 93% of successful data breaches. This may come up using a compelling story stating that.

· “VERIFY” the personal information by clicking on the malicious link

The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.

·         NOTIFICATION stating that “You are a Winner”

This may be any email claims to be in the form of a lottery, or a dead relative to click on their site, etc. In order to give you your ‘reward’ you have to provide information about your bank routing so they know how to send it to you or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often including your social security number. These are the ‘greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied, and identity is stolen.

·         Urgent notifications asking for help

This email could seem from a friend who has been robbed or beaten in a foreign environment, need you to send money and they will state the procedure to send the money to the particular attacker.

Downloading a Link

Downloading a link which is related to any file, picture, movie embedded with the malicious software. If you download which you are likely to do since you think it is from your friend, you will be infected. Now, the criminal has access to your machine, email account, social network accounts, and contacts, and the attack spreads to everyone you know. And it continues.  You’ll trust the link and click and be infected with malware so the criminal can take over your machine and collect your contact info and deceive them just like you were deceived.

Baiting Scenarios

People who take bait such as schemes which may show up an amazingly great deal on certain sites, auctions or offering on something to download, such as a new movie or music may get infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.

Find the Right Cyber security solutions for social Engineering

·         Delete any personal financial information, and passwords and frequently change the passwords.

·         Beware of any download links or files unless you know the person who sent it personally. Suspicious links downloads lead to mistakes.

·         Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.

·          Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so.  Use an anti-phishing tool offered by your web browser or a third party to alert you about risks.

·         Avoid Email Hijacking. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) have become rampant. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.

Relishiya Tenaransz
Undergraduate of Computer Engineering,
Faculty of Engineering, USJ