Social engineering is the practice of convincing people to compromise their computer/electronic systems. Rather than targeting equipment or software, scammers/fraudsters target humans who have access to information and manipulate their perceptions and make them divulge information using deception, influence or persuasion.
Attackers go after human weaknesses like fear, greed, trust, carelessness and haste.
Social engineering attacks can include physical, social and technical aspects, which are employed in different stages of the attack. The ways in which fraudsters attack include email, instant messaging, phone, social networking, cloud services and websites.
Fraudsters will use many tools and techniques. What these social engineering methods have in common is that they all attempt to build a rapport with victims by creating believable situations or creating a sense of urgency.
Most of the time, people assume it’s only individuals who are prone to social engineering attacks and not companies. However, no matter how big or small the business is, its employees will inevitably receive phishing messages giving scope to the company’s information systems to be compromised.
Approaches used by fraudsters
• In-person visits where attacker impersonates someone in authority or someone with an urgent need
• False documents
• Vishing: Telephone calls where attacker impersonates someone else
• Phishing: Email messages that are false in content or false in origin
• Smishing: Instant messages or text messages with false threats, information or promises
• Social Media Phishing: A social media page that mimics a trusted brand. The account will try to publish relevant content that persuades you to click and download a malicious file
• Reverse Engineering: When someone executes a minor attack on your company to expose a vulnerability, then offers to fix the problem
• The other methods include baiting; typo squatting and friendly emails.
Psychological factors used by fraudsters
• Trust: Exploiting that impulse is the basis of social engineering
• Ignorance: Lack of knowledge about social engineering attacks makes people and organisations vulnerable, pretending they are in a position of authority
• Fear: People are afraid of loss, and fraudsters exploit people’s fears. For example, they might send a message or make a call warning about the possible loss of employment or money, or access.
• Greed: Fraudsters promise rewards in exchange for divulging information, which could be in the form of seeking advance taxes or security deposits or customs fees before they actually receive
• Moral duty: People often feel obliged to help scammers/fraudsters when asked for help especially seeking donations during floods or Covid19
• Urgency: Fraudsters might call or email in the guise of a high-ranking officer who requires urgent transfer of funds
• Panic/Anger: People don’t think clearly when they’re pressured to act quickly. When social engineers call you pretending to support and provide a frantic scenario that compromises your safety (like resetting the expiry date of your credit/debit card)
• Be wary of short URLs and information requested on Google forms from unknown sources
• Double check a web link before clicking or downloading attachments sent by unknown contacts
• Never send sensitive, personal, or proprietary information via email, regardless of who is asking for it
• Look out for poor spelling and grammar in emails and SMS
• Links/forms asking for personal information (passwords and bank information)
• Always check header of email for authenticity when someone asks to transfer money, even if it is your boss
• Never search for customer care numbers on Search Engines – Open the respective app or respective application’s website for correct customer care number
• Scanning QR Code or giving OTP, UPIN, bank card and CVV number means you are transferring money from your account; not receiving
(Author is the founder of End Now Foundation)
Now you can get handpicked stories from Telangana Today on Telegram everyday. Click the link to subscribe.