In this article we’ll cover Social Engineering.
We’ll start off my a definition of what social engineering is.
After developing a clear understanding of Social Engineering, we’ll proceed with a few examples of how it is applied in the real world, and what threats we should look out for.
We’ll explore more on this subject by discussing how we’re under attack each and every day, and explain what counter measures we can make to avoid becoming a victim of Social Engineering.
Definition of Social Engineering
Social Engineering is the act of manipulating a person to either:
- Express sensitive information about oneself or others.
- Perform actions that the victim would otherwise not have done.
The acquired information from the victim can for example be used to gain access to his / her various online accounts, like bank accounts etc.
Unlike “traditional” hacking, where technical competence of the attacker is key, social engineering solely focuses on exploiting the “human factor” – in other words; the user.
Social engineering is the act of manipulating the users to give up information or perform actions.
There is a wide variety of Social Engineering attacks.
Common to all the attacks is that they make use of basic psychological characteristics in humans, and exploit these “weaknesses”.
Social Engineering Techniques & Examples
Social Engineering can be seen in a whole lot of different contexts, and we argue that only the imagination limits the different approaches and techniques used for Social Engineering attacks.
Typical contexts / technical environments where social engineering is largely used are by email, phone, social media, various chat services, web sites and the like.
All these medias have one criteria in common, and this criteria is also what is needed to actually label a scam as Social Engineering – the attacker can get in touch with the victim.
However, social engineering attacks is not limited to digital channels – it may also involve physical attendance and contact with the victim.
Based on my own and others’ experiences, the most common media used by the fraudsters in a social engineering attack is as follows:
- Attacks through e-mail
- Attacks through social media
- Attacks through telephone
The following paragraphs provide a brief explanation of how a social engineering scam can play out on each of these channels / medias.
Social Engineering Scam Through E-mail
A common psychologial element that the scammers exploit through e-mail is our respect for authorities.
As an example, let’s assume you receive an e-mail which looks like it is sent by the police.
The “investigator” (the actual scammer) needs the victim’s account number to check the him/her out of a criminal case regarding suspicious money transfers.
Attacks Through Social Media
Through the use of social networks, social engineering techniques are often associated with economics.
The victim may receive a request from a bank who offer very good loan terms. The bank only needs a small transfer to verify
the user’s account number.
Social Engineering by Phone
Who hasn’t received a call from the reputable Microsoft scammers?
The scam plays out like this:
The caller pretend to be a representative from Microsoft, which want to help you out of a crisis regarding your personal computer.
The scammer might claim that your PC has been infected with viruses.
Although this scam is now widely known, it is also very effective.
It makes use of the psychological principles of fear and respect for authorities, and especially the elderly falls victim for this sort of social engineering attack.
The Social Stigma
There seems to be a whole lot of social stigma connected to being exposed to a computer crime.
It often appears that the general view is that only unintelligent people become victims of this type of crime.
There are probably several reasons for this perception, such as not very well written scams and unlikely scenarios (“Loan 5 million on the day “and the like).
My personal opinion is that these are techniques used intensively by the scammers.
When the victim realizes that he / she has been scammed, one will look back on the exchanged messages and get the feeling that “one should have understood it”.
This leads to fewer victims coming forward, and the scammers can keep on going in peace and quiet.
If you’ve become a victim of a computer crime, report it!
Thoughts on Information Security
Information security is an issue that is becoming increasingly relevant and is no longer only a subject for the professionals.
From the late 1990’s, there has been a huge increase in Internet usage, and there’s a corresponding increase in criminals who make use of services via
the Internet for financial gain, or other malicious activity.
Information and cyber security are topics that are often overlooked by the average joe.
This can potentially lead to very serious consequences for those exposed to a computer crime, both socially and economically.
A major challenge associated with “common” Internet users is knowledge of the potential attacks – and hence the consequences.
Better and more knowledge among the daily users of the Internet is therefore a big challenge, and one often sees that the users themselves are the weakest link – hence social engineering.
For businesses and other commercial actors, this is also a very relevant topic.
Besides good training and informing of the employees, there are also greater demands on technical competence.
Correct and secure design of information systems is critical.
But what is a “safe information system”? Does it mean that the system is impenetrable?
It is important to keep in mind that the attackers only need to find one way into the system; one method to achieve their goal.
However, to prevent a breach, you will have to guard against any conceivable attack.
This race between “the good” and “the bad”, in a technology that is constantly changing, is a major challenge.
Taking a step back, looking at our whole society, it is largely dependent on technical infrastructure.
A potential attack on this infrastructure can, in a worst case scenario, set our whole society out of play.
Technical competence in the right places is therefore very important in order to ensure the national and international information security.