Social engineering is the term used where malicious activities are accomplished through human interactions. Fraudsters use psychological manipulation to trick users into making security mistakes and give away sensitive and personal information.
Social engineering manipulates any individual’s innate desires (e.g., greed, trust, anger) by building a trust relationship with the target and then exploiting that relationship to obtain the information required for further processing of online crime.
Reasons for falling prey to Social Engineering crimes
* Trust: Exploiting that impulse is the basis
* Ignorance: Lack of knowledge
* Fear: People are afraid of loss
* Greed: People who look for quick and free income
* Moral duty: People feel obliged as if it’s a social responsibility
* Urgency: Fall for urgency (spoken by disguised person)
* Panic/Anger: Frantic scenario compromising safety
Motivations for doing Social Engineering crimes
* Technical avoidance – Some technically qualified persons look at it as a quick path to financial gain rather than become involved in trying to breach a complex/cumbersome technical path.
* Self-education – Some first-time hackers who are motivated simply by the thrill of gaining knowledge and just for fun try to beat the system.
* Financial gain – Motivation for financial gain information gathering can be triggered by many reasons: feeding a habit (an addiction); seen as an easy way to get money, organised crime, blackmail, etc.
* Revenge – Unhappy/resigned employees could be doing it. They may even target an individual for not accepting a relationship or even for breaking an existing relationship.
* External pressure – Blackmail, ransom, family pressure, organised crime, and extremist beliefs can be used to apply pressure to an individual to commit a cybercrime.
* Terrorists, ideologically motivated – These groups can be fanatical about their cause and will try and capitalize on weaknesses inherent in the financial and critical information infrastructure to cause shock to a target population.
* The wannabe – Often people having psychological issues, wanting to be a hero, are motivated to commit an act, to do something daring or spy thereby satisfying their own distorted psychological needs.
Stages of Social Engineering attacks
* Information gathering – Internal phone directory; birth dates; organizational charts; personnel records, social activities, and relationships.
* Development of relationship – Psychological aspect of trust; presenting themselves as senior members of the organisation who will share a confidence with a target to further strengthen the element of trust.
* Exploitation of relationship – Manipulation of the victim and obtaining the information like username and password and preparing to perform an illegal action.
* Execution to achieve the objective – Having obtained the required personal/sensitive information, the social engineer is able to use this to access the system and complete the illegal action.
Social Engineering Crimes – Methods
* Phone – A social engineer/fraudster calls up the victim and presents themselves as a person of authority and uses techniques to extract sensitive and personal information.
* Eavesdropping – A fraudster may place themselves and secretly listen to a conversation overwork chat or in a lunchroom.
* Live – Individuals gain access to the victim computer system to obtain information that may later be used to commit cybercrime.
* Dumpster diving – Company’s trash in an attempt to retrieve helpful documents i.e., employee records, organisational charts that may assist a social engineering attack. i.e., Old computer equipment for ‘such as old hard drives, unattended USB drives, stick notes on the unlocked screen, etc.
* Shoulder surfing – Overhearing on one’s shoulder to see what password an employee is typing into the computer.
* Bogus surveys – False pop-up windows notifying the individual that their internet connection has dropped out or simple survey form asking for feedback where they are required to enter their user details (username and password).
* Phishing/Vishing/Smishing – Hackers distribute emails/phones/SMS, presenting themselves to be from a legitimate organization (i.e., Bank or Club, Govt Organisation) and seek their personal and sensitive details further used to commit cybercrime.
* Pharming – Similar to phishing in the sense that while the user believes they are entering their personal details (username, password) into a legitimate site, they are actually using a spoofed or mimicked site that emails the user’s details to the hacker for future use.
Stay Tuned to Cyber Talk to know more about internet ethics and digital wellness brought to you by Anil Rachamalla, End Now Foundation, www.endnowfoundation.org
Now you can get handpicked stories from Telangana Today on Telegram everyday. Click the link to subscribe.