Defend yourself from Social Engineering Attacks :
- Social engineering is the practice/art of convincing people to compromise their computer/electronic systems. Rather than targeting equipment or software, scammers/fraudsters target humans who have access to information and manipulate their perceptions and make them divulge information using deception, influence, or persuasion.
- It’s a known fact that hacking Human Mind is far easier than hacking a computer or business. Attackers go after human weakness like fear, greed, trust, desire, ego, sympathy, ignorance, carelessness, and haste.
- Social engineering attacks can include physical, social, and technical aspects, which are employed in different stages of the particular attack. A number of the ways scammers/fraudsters attack, includes email, instant messaging, phone, social networking, cloud services, and websites.
- Scammers/fraudsters will use many tools and techniques. What these social engineering methods have in common is that they all attempt to build rapport with victims by creating believable situations, establishing credibility, or creating a sense of urgency.
- Most of the time people assume it’s only the individuals who are prone to social engineering attacks and not the companies, No matter how big or low profile business is, its employees will inevitably receive phishing messages giving scope to companies information systems to be compromised.
Various approaches used by scammers/fraudsters :
- In-person visits where the attacker impersonates someone in authority or someone with an urgent need
- False documents intended to deceive.
- Vishing: Telephone calls where the attacker impersonates someone in authority or someone with an urgent need
- Phishing: Email messages that are either false in content or false in origin
- Smishing: Instant messages or SMS text messages with false threats, information, or promises
- Social Media Phishing: When someone builds a social media page that mimics a trusted brand. The account will try to publish relevant content that persuades you to click and download a malicious file.
- Reverse Engineering: When someone executes to minor attack on your company to expose a vulnerability, then conflicts you to inform you and offer to “fix” the problem.
- Quid Pro Quo: Quid pro quo means something for something: When someone calls random numbers at a company, claiming to be calling back from technical support.
- Baiting: Baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim.
- Typo Squatting: When someone uses common types for brand URL’s and mimics 1he brand to gain trust. The fake website can easily collect form information and an example i.e. www.bankofarnerica.com
- Friendly Emails: When someone sends you an email either from a hacked friend’s account or creates a similar account and uses your friend’s name.
Few psychological factors used by scammers/fraudsters are :
- Trust: Exploiting that impulse is the basis of social engineering.
- Ignorance: Lack of knowledge about social engineering attacks makes people and organisations vulnerable, pretending they are in a position of authority (like executive or manager of any bank).
- Fear: People are afraid of loss, and fraudsters exploit people’s fears. For example, they might send a message or make a call warning about the possible loss of employment or money, or access.
- Greed: Scammers/fraudsters promise rewards in exchange for divulging information, it will be in the form of seeking advance taxes or security deposits or customs fees before they actually receive.
- Moral duty: People often feel obliged to help scammers/fraudsters when asked for help especially seeking donations during floods or Covid19
- Urgency: A scammers/fraudsters might call or email in the guise of a high-ranking chief executive officer who requires an urgent transfer of funds, they usually spoofed emails posing as their boss.
- Panic / Anger: People don’t think clearly when they’re pressured to act quickly. When social engineers call you pretending to support and provide a frantic scenario that compromises your safety (like resetting the expiry date of your credit/debit card)
Motivations for doing Social Engineering Crimes :
- Technical Avoidance – Few technically qualified members look at it as a quick path to financial gain rather than become involved in trying to breach a complex/cumbersome technical path.
- Self-Education – Few first-time hackers who are motivated simply by the thrill of gaining knowledge and just for fun try to beat the system.
- Financial Gain – Motivation for financial gain information gathering can be triggered by many reasons: feeding a habit (an addiction); seen as an easy way to get money, organized crime, blackmail, etc.
- Motivations for doing Social Engineering Crimes: –
- Revenge – Unhappy/resigned employees could be doing it. They may even target an individual for not accepting a relationship or even for breaking an existing relationship.
- External Pressure – Blackmail, ransom, family pressure, organized crime, and extremist beliefs can be used to apply pressure to an individual to commit a cybercrime.
- Terrorist, Political& Issue & Motivated – These groups can be fanatical about their cause and will try and capitalize on weaknesses inherent in the financial and critical information infrastructure to cause shock to a target population.
- The Wannabe – Often people having psychological issues – Who want to be Hero are motivated to commit an act, to do something daring or spy thereby satisfying their own distorted psychological needs
The Stage of Social Engineering Attack :
- Information Gathering – Internal phone directory; birth dates; organizational charts; personnel records, social activities, and relationships
- Development of Relationship – Psychological aspect of trust. presenting themselves as Sr. members of the org who will share confidence with a target to further strengthen the element of trust.
- Exploitation of Relationship – Manipulation of the victim and obtaining the information like username and password and preparing to perform an illegal action
- Execution to achieve the objective – Having obtained the required personal/sensitive information, the social engineer is able to use this to access the system and complete the illegal action.
Social Engineering Crimes – Methods :
- Phone – A social engineer/fraudster calls up the victim and presents themselves as a person of authority and uses techniques to extract the sensitive and personal information
- Eavesdropping – A social engineer may place themselves and secretly listen to a conversation overwork chat or in a lunchroom.
- Live – Individuals gain access to the victim computer system in order to obtain information that may later be used to commit cyber crime
- Dumpster Diving – Company’s trash in an attempt to retrieve helpful documents i.e., employee records, organizational charts that may assist a social engineering attack. i.e., Old computer equipment for ‘such as old hard drives, unattended USB drives, sticks notes on the unlocked screen, etc.
- Shoulder Surfing – Over hearing on one’s shoulder to see what password an employee is typing into the computer
- Bogus Surveys – False pop-up windows notifying the individual that their internet connection has dropped out or simple survey form asking for feedback where they are required to enter their personal user details (username and password).
- Phishing/Vishing/Smishing – Hackers distribute emails/phones/SMS, presenting themselves to be from a legitimate organization (i.e., Bank or Club, Govt Organisation) and seek their personal and sensitive details further used to commit cybercrime.
- Pharming – Similar to phishing in the sense that while the user believes they are entering their personal details (username, password) into a legitimate site, they are actually using a spoofed or mimicked site that emails the user’s details to the hacker for future use
- Reverse Engineering – When someone executes to minor attack on your company to expose a vulnerability, then conflicts you to inform you and offer to “fix” the problem.
- Quid Pro Quo – Quid pro quo means something for something: When someone calls random numbers at a company, claiming to be calling back from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will “help” solve the problem and, in the process, have the user type commands that give the attacker access or launch malware.
- Baiting – Baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware-infected USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and waits for victims.
- Typo Squatting – When someone uses common types for brand URL’s and mimics 1he brand to gain trust. The fake website can easily collect form information if 1he typo is not noticed.
- Friendly Emails – When someone sends you an email either from a hacked friend’s account or creates a similar account and uses your friend’s name. Often there is an attachment that contains malware.
Share these safety tips to your friends and family members :
- Be wary of short urls and information requested on google forms from unknown sources
- Double check a weblink link before clicking or downloading attachments sent by unknown contacts, they will lead to unfamiliar site (Hover over them and check)
- Never send sensitive, personal, or proprietary information via email, regardless of who is asking for it.
- You will notice poor spelling and grammar throughout the email or SMS
- Links / Forms asking for personal information (Passwords & Bank Information)
- Always check the header of the email for authenticity when some asks to transfer money on a email, even it is from your boss.
- Never search for customer care numbers on Search Engines – Open the respective app or respective application’s website for the correct customer care number.
- Scanning QR Code or giving OTP, UPIN, Bank Card and CVV number’s, Means you are transferring the money from your account and NOT receiving.