The term “Social Engineering†sounds like a serious academic subject on reforming a wayward society! Alas, far from the truth, it is pure and simple trickery, a con job. The social engineering attacker uses his social skills to take advantage on the human tendency to trust someone at his words. He/she can pretend to be a legitimate official, a person of authority, a helpdesk assistant or a new employee trying to learn his ropes. Any or all of these deceptions are to extract sensitive personal or company information such as social security number, card details, email address, login name and password, company financial data, client details, marketing plan, organizational structure, etc. to commit fraud.
There are various ingenious ways of doing social engineering. In ‘pretexting’, the attacker creates a purely fictional scenario to extract information from the victim. Phishing emails invite the receiver to click on embedded links to type in personal information for ‘verification’. Phone phishing uses engineered Interactive voice response (IVR) system for deception. Baiting is to infect systems through Trojan horse malware – a curious victim will pick up a seemingly mislaid CD or USB flash drive at a conspicuous location and run the same on his system with disastrous results. Create a quid-pro-quo situation where the attacker offers to help resolve a malfunction and in the process obtain bits of personal information.
Here is a classic ‘pretexting’ social engineering story. Ian Malone of US received a late night phone call asking if he had been using his credit card for heavy purchases recently as the caller (pretending to be an employee of the credit card company) noticed huge accumulated debts on the card. Malone was naturally flabbergasted as he was already struggling for funds. The caller sympathized and offered to probe this suspected fraud further and set it right. To do so, “may I have details of the card please?†Malone was anxious to get out of the mess. The attacker got what he wanted to commit credit card fraud – the rest is history!
To avoid different social engineering frauds, it would be advisable to follow the guidelines listed below:
- Never click on embedded links unless you are sure of the identity of the sender.
- Never call on the phone numbers given in the information seeking emails. Instead, call on a confirmed genuine number known to you or taken from previous statements.
- Do not provide personal or company information over phone to unknown entities, however intimidating the caller may sound and demand information..
- Submit personal information only on secured encrypted websites – look for an “https†prefix and a lock icon at bottom of the screen.
- Pay attention to website addresses. Malicious websites will have slight variation in web address or domain, e.g. .net instead of .com.
- Don’t accept unsolicited help for repairs – get a qualified legitimate technician to do any repair.
- Do not panic when you are told of alarming situations and do not act on the caller’s requests.
- If you suspect to have revealed information, inform the appropriate authorities (network administrators, your supervisor, bank, credit card company or even police), who can take immediate remedial measures to detect and stop any fraud.
Remember, social engineering frauds can be avoided if you are careful in your actions. If you lose money/data because of your carelessness, only you are to be blamed. Recovery of lost money/data is almost impossible!