Social Engineering (SE) in the realm of Information Security is the art of psychologically manipulating people into performing actions or giving up confidential information that could lead to various security issues.

As the Great Chinese General, Sun Tzu himself said:

If you know the enemy and know yourself you need not fear the results of a hundred battles.

The idea behind social engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions to one’s own gain. Sometimes, it is easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving access to their system rather trying to hack into it from the outside.

It doesn’t matter how many locks, or alarm systems and armed security personnel, you station at your data centers, homes or office premises, there is still the chances of being compromised by the means of Social Engineering.

What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.

We’ll dive into the different techniques the evil-doers incorporate when they breach your privacy & later on discuss how to prevent ourselves from being a victim:

  1. Phishing: It is the most widely used social engineering attack which still remains successful, it involves typically sending e-mails impersonating as a legitimate source – business, bank or credit card companies, thus creating a sense of urgency, curiosity or sometimes fear. They are so persuading in nature that leads victims into revealing sensitive information, clicking on the links to malicious websites or opening attachments that contain malware.

For example – A fraudster for instance pretending to be a banking official or customer support sends an email asking recipients to click on the link which redirects them to the fake website that looks as legitimate as the email itself. If they log into the fake website, they’re essentially handing over the login credentials to the fraudster thus giving him access to it.

2. Spear Phishing: This is targeted version of phishing where the fraudster aims at particular individual or enterprise. The e-mails are well crafted based on the thorough study of the target background. The success rates of such attacks is quite high as they are tailored/customized with keeping the target in mind rather being generic in nature where only few people would response.

3. Vishing: It is otherwise known as Voice Phishing, where the delivery method changes to using telephonic systems to gather personal and financial information. This method is sometimes incorporated for the purpose of reconnaissance on a particular target.

4. Smishing: This involves sending text messages rather than e-mails and persuading the target into visiting malicious webpages.

5. Pretexting: Pretexting is defined as the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information.

6. Water Holing: This social engineering technique is target oriented where the attacker gathers information about the websites the target visits using his/her secure systems and trust with the sensitive information/credentials. The attacker would then compromise the security of the website by finding its vulnerabilities and injecting malicious code which would invoke when the targeted system visits that website thus providing access to the attacker.

7. Baiting: This technique involves targeting the greed and curiosity in the human nature and exploiting it to one’s own profit. For example, The attacker may create a disk usually USB Flash drive infested with malware and leave it at noticeable areas – bathrooms, toilets or parking lots of the targeted company. The target would pick up the bait and out of curiosity insert it into the home or office system leading to stealth installation of malware.

8. Quid pro quo: Quid pro quo is based on the concept of exchanging information – a favor for a favor. The target believes into seeing this situation as a win-win scenario and puts his/her confidence into the attacker. For example, the attacker contacts the target on the pretext of conducting a system audit as IT support member and in the process mitigating any technical problem the user maybe facing. The attacker can have the target type the commands to launch malware or gain remote access to the system.

9. Tailgating: There are times when certain targeted networks are only accessible in the company premises i.e. private network. Such networks are heavily guarded using RFID card to which attacker may not have access to, so they wait, tailgate or in some cases befriend an authorized personnel into opening the doors for them as they have lost or forgotten their identity card.

How not be a victim of Social Engineering:

1. Think First and Act Later: Attackers rely on the strategy of creating a sense of urgency which often leads the target into acting haphazardly without taking the security measures into the consideration. So, on the encountering any e-mail, text message or call, sit back and question the other party of their authenticity and then makes a sound decision.

2. Training Employees: Educating the employees about the security protocols associated to their positions, in circumstances like tailgating, security breach and how to turn down the suspected person at the same time informing the respected authorities.

3. Be updated: Many of us are too lazy to update our systems and software but this ignorance or procrastination can wreak havoc. The attackers thrive on the vulnerabilities of the softwares and to counteract this software publishers release patches time to time.

4. Multi-factor authentication: Incorporating an extra layer of authentication services always help. Even if the attacker is somehow able to acquire target credentials, techniques like 2FA could stop them at the doorstep.

5. Restrict personal information on social media platforms: Always be wary of what you share on the social media platforms like – Facebook, Instagram, etc. Make sure who are accessible to such information and what is publicly visible. This would save you from spear phishing like attacks.

6. Waste Management: When it comes to dumping wastes we have always been less careful whether it maybe at home or office. So while dumping wastes that may include documents with confidential information should be properly disposed – burnt, shredded or dumpster locking if necessary.