WHAT IS SOCIAL ENGINEERING?

Social engineering is use of soft non-technical skills to gain unauthorized access to private computer networks. Social engineers rely on human interactions to lure people into giving out crucial confidential information that would compromise their Internet security. Hackers use social engineering for varied reasons but the end game is always to defraud you financially by manipulating your human instinct to trust rather than using brute force to break into your system.

Social engineering is not a new concept but rather old-age con games applied in a web perspective. The information sought by Social engineers may vary from passwords, bank information, System configuration details and so on. But regardless of the information sought, the objective is always to take control of your system and make a certain gain at the end.

Social engineering takes different form and shapes. It could be as simple as someone calling you pretending to be your bank customer care agent and requesting your banking details. It could also be someone posing as a new employee who need log in assistance or your colleague stealing your login credentials through shoulder surfing.

Regardless of the form and shape, the success of any social engineering attack largely depend on human weakness in critically analyzing every situation. In reality, internet security is all about knowing when and who to trust with your confidential information at any given time. Alertness and avoiding to take every situation at face value will take you a long way in preventing social Engineering Attacks.


WHICH ARE THE MOST COMMON SOCIAL ENGINEERING ATTACKS?

Social engineering attacks are propagated in different forms and through various attack vectors. It is a rapidly evolving art that keeps on being perfected every now and then. However, some of the most common social engineering pitfalls include the following.

Bogus Email from a Friend; It is a common social engineering tactic used to extract information from a large network of people. In this case criminals only infiltrate one email account and use the contact list to send spyware ridden email to other on address book. Again, one is easily fooled to trust an email attachment or a link sent supposedly by a known friend.

In most cases, the attacker using a hacked account sends you an email address claiming that your ‘friend’ is stuck in a foreign country after being mugged. They request money for a return ticket and promise to refund the money once they are back. Usually, the email has instruction on how to send the money to your ‘stranded friend’ abroad.

Phishing Attacks. It’s an old age cyber threat that applies social engineering tactics to harvest confidential details from victims. Most phishing attacks are propagate through bogus emails allegedly form trusted service providers such as banks, Schools, Software companies or government security agencies. E.g. FBI

Normally, online fraudster sends email posing as one of your trusted service provider. They request you to urgently update your account details or upgrade your current software through given links. Most phishing emails require you to do something urgently or risk some consequences. Clicking on the embedded links directs you to spoofed websites designed to steal your login credentials.

Another common trick used by phishing masters is to send you an email claiming that you’ve won a lottery or certain promotion goodies. You are required to give your banking details in order receive your lotter winning. In other cases the scammer pose as the FBI saying they have recovered your ‘stolen money’ and therefore requesting to send you bank details to get your money back.

Baiting Schemes. In these types of social engineering schemes, the attacker takes advantage of a highly demanded product such a new movie or music video to harvest private information from unsuspecting people. It is very common in peer-top-peering sharing network such Bit torrent.

Another popular tactic is to undervalue hot product by giving one day 85% discount. Such schemes may appear in legitimate auction sites such as eBay which makes it easy for people to fall for the bait. Usually, the product on offer is non-existent and vendor could be using a hacked eBay account to obtain your banking details.

Unsolicited Tech Support– In some instances, criminals pose as tech support teams from popular companies such as Microsoft, purporting to respond to ‘your request’ to resolve a tech problem. Although you never requested for help, you could be tempted to take advantage of a free service because you could be having a tech problem with your Microsoft product in the first place.

Responding to the emails initiates an interaction with the criminal who may further request for more specific details about your system in order to help you out.

In some cases the criminals may request you to log on to “their company systems” or simply request for root access to your system. Sometimes they may give you bogus command to run on your system. Such commands are only intended to give the attacker greater access to your computer system.


HOW TO AVOID SOCIAL ENGINEERING ATTACKS

Be wary of emails, instant messages and phone calls for unsolicited people such as service providers. Verify the source of message before giving out any information.

Go slow and pay keen attention to fine details in emails and messages. Never let the urgency in attacker’s message cloud your judgment.

Educate yourself. Information is the most powerful tool in preventing social engineering attacks. Research facts on how to identify, and ward off online criminals.
Never click on embedded links in emails from unknown senders. If necessary use the search engine to search for suggested website or manually enter the website URL.

Never download email attachment from unknown senders. If necessary open the attachment in protected view which is enabled by default in many operating systems.

Reject requests for online tech support from strangers no matter how legitimate they may appear.
Secure your computer space with a strong firewall, up to date antivirus software and set your spam filters too high.

Patch up software and operating systems for Zero day vulnerabilities. Follow up on patch releases form your software providers and patch-up as soon as humanly possible.

Pay attention to website URL. Sometimes online fraudsters make slight changes to URLs in order to direct traffic to their own spoofed sites.

Avoid being greedy on the web. If you never participated in a lottery, it goes without saying that you can never be the winner. If you never lost money, why would you accept a refund from the FBI?


WHAT NEXT FOR SOCIAL ENGINEERING VICTIMS

Due to the soft nature of social engineering attacks, most victims don’t know they’ve been hacked and it may take months to identify a security breach. However, in case you suspect that you’ve been a victim of social engineering, the first thing is to do a password workaround.

Create new strong password for all your accounts. Ensure that your new password cannot be linked to you or your family because the attackers probably know way too much about you and your family. Secondly, contact your bank, and carefully review your financial statements. Lastly, consider reporting the incident to law enforcement agencies to avoid liability in cases of identity theft and impersonation in criminal activities.

In conclusion, Social engineering attacks are old age con game that get better and smarter with time. Hacker will continually use them so long they continue to yield handsome returns year in year out. Preventing Social engineering attacks require knowing when and who to trust on the web. Critically analyze each and every situation before giving out any incriminating information. More importantly, avoid being greedy on the web. Always think twice when the deal is too good!