What is social engineering? Are you aware of how it is done and the impact it may have on you? Social engineering is a method executed using psychological manipulation of people in order to make them reveal sensitive information. In social engineering fraud, the hackers or attackers establish a rapport with the victim and build the trust with them. Gradually interacting with them in order to gain the sensitive information from them for financial gains.
Social engineering is usually executed in four steps:
Planning the attack: The first step in social engineering is to plan the attack, including identifying victims and execution strategies. A social engineer spends a lot of time planning the attack. They gather information from multiple sources, such as physically following and observing the victim, connecting with the victim through social media and collecting information from third party sources. The more information and availability of the victim in the social space makes the work of social engineer easier.
Establishing rapport: The second step in social engineering is to establish a rapport with the victim. A social engineering attacker first concentrates on gaining trust of the victim because the success of the social engineering attacks depends on the level of cooperation from the victim. Once the attacker develops a rapport, the victims will feel comfortable sharing confidential or sensitive information with the attacker. One of the common ways used by attackers to establish rapport is emotional connections. They may say a fake story to gain sympathy and affection of the victim who eventually considers them as friends and share the information the attackers are looking for.
Collecting information: The third step is to collect confidential information posing as a genuine person. This is the stage where the attacker tries to collect more information such as the username and password to access and infiltrate into critical applications. At this stage, the attacker usually uses his or her soft skills to retain the trust gained during the second step without any suspicion to the victim.
Executing the fraud: The final step is to execute the fraud by performing transactions with an intention to obtain financial benefits from the victim or organizations represented by the victim. The attackers usually look for a smooth exit without the victim or organization understanding that their information have been compromised.
Type of Social engineering attacks
Phishing : Phishing is method to fraudulently gain access to your sensitive information. An email message is sent to users with an attachment or link from an email address similar or identical to the genuine email address. The attachment will usually be a malicious one which once when clicked might install malware or direct the victim to a fake website requesting them to enter their sensitive information thereby gaining access to those information.
Vishing : Vishing, also known as phone phishing, is similar to phishing and is executed through fake telephone calls. Unlike other types of phishing where an email message is used, vishers use telephone to execute their fraudulent objectives in order to gain access to personal and sensitive information. During the telephone conversations there will be an Interactive Voice Response which may tell you to provide your credit card details or Internet banking details in order to prevent from blocking it.
Smishing : This method uses SMS messages usually ask you to claim your prize money or to know the offers, you will be asked to share the confidential and personal information with a malicious intent to compromise your information. Sometimes, the SMS will contain an hyperlink and if you click it, malicious software may get downloaded in your mobile phone.
How to prevent social engineering attacks and countermeasures?
Use your intelligence: You should always be able to identify a hacker from the set of questions. Whenever the hacker is asking confidential information that is not relevant to the current scenario, then it could possibly a case of social engineering.
Know what you share: You should be cautious when dealing with strangers and should never share confidential information, such as your credit card CVV number and password to access your account. Additionally, even before sharing information such as your account number, PAN number, date of birth, or credit or debit card numbers, verify the authenticity of the person to whom you are sharing.
Keep yourself updated: You should keep yourself up-to-date with various social security techniques prevailing in the digital world.