How to Protect Yourself from Social Engineering Attacks

The use of the wooden horse statue by the Greeks to invade Troy is arguably the oldest social engineering attack known to man. This method of making the Trojan to allow their destroyers get right into the homes of Troy is considered to be so clever, that an entire section of malware has been named after it.

The art of psychologically manipulating people so that they give up confidential/sensitive information is known as social engineering. These are non-technical attacks, which rely on fooling people into deviating from regular security procedures.

People engaging in this criminal act either target individuals for things such as bank information and passwords, or they might target the employees of entire organizations for sensitive corporate information, which they can then use to make a lot of quick money in the market.

The use of social engineering has increased vastly, as it is more difficult to hack someone's software/password than to win their trust and exploit them to gain information that is wanted. No matter how technically it sound the security chain might be, information is always susceptible to attack if the people involved with the information are vulnerable.

The key to protecting oneself from such fraud is to develop a good sense of who and what to trust. The various types of social engineering that one can be targeted with are based on common attributes of the human thought process while making decisions.

The various biases that a human may have towards a person or a situation are exploited in an endless list of combinations, some of which we will look ahead.

This is one of the most common threats of social engineering, in which conmen create an imaginary scenario to interact with the targeted person in such a way that the person would voluntarily give out information or perform certain actions, which he/she would not do in ordinary circumstances.

This technique is carried out by first finding out information about the targeted person or organization through documents such as discarded bank/financial statements, which is then used to convince the target that the conman has a sense of authority.

This technique can also be used by impersonating people like the police, tax officials, or insurance investigators, who in the mind of the victim have a right to know about the information.

The conman simply does a little research to satisfactorily answer questions asked by the victims, behaves earnestly and authoritatively, and extracts information with quick thinking and manipulation of the situation.

This technique uses the greed or curiosity of the target. Usually, the criminal uses some form of physical media like a CD or pen drive, which is given a legitimate but interesting label. It is then purposely left in a place like a restroom or elevator, where it is sure to be found by someone.

When any person finds the CD, he/she is expected to get curious about the label and the data that it contains. However, on inserting the CD into a computer, they unknowingly install malware into the system, which could give the attacker unrestricted access, not only to that computer, but also to the company's internal network.

In this method, the attacker's intention is to gain entry into a restricted area of large organizations. If the area is guarded by electronic access systems, like electronic employee ID cards, the attacker just walks behind a legitimate employee having access to the area.

Usually, the real employee will hold the door open for the attacker as courtesy, as he/she may think that the attacker is a part of the organization. They might forget to ask the attacker for identification, or may assume that he has misplaced his ID. The attacker might also display a fake ID, giving him access to any place that he may want to go.

In this technique, the attacker randomly calls telephone numbers at the targeted company, posing as a member of the technical assistance staff, and asking if there is any problem with the computer systems.

Eventually, the attacker will find someone having a genuine problem, and will help solve the issue, all the while getting the distressed employee to unknowingly type in commands which will give the attacker access to the network, or put in a malware in the computer.

This is another popular method used by criminals to fraudulently obtain private information about a person. The scam is run by either sending an email or making a phone call to the target. The email/phone call is designed to appear like legitimate correspondence from real businesses, like banks or credit card companies.

If such an email is received, it will have links to a webpage with seemingly legit logos and company content, and a form which will request all kinds of details, such as PIN numbers or addresses, for alleged verification purposes.

In phone calls, a bogus interactive voice response (IVR) system prompts the target to call a supposed bank number, where a lot of information is asked for verification purposes.

These systems work by appearing to reject login IDs and passwords entered by the victim, so that the information is entered multiple times. Some systems even transfer your call to the attacker, who gains information by acting as a representative from the customer service department.

Example 1: In 2011, a security company ironically had a breach in their security system, which the attacker accessed using social engineering. Over a couple of days, two phishing emails were sent to low-level employees of the firm. The subject of these emails was '2011 recruitment plan'.

Example 2: In 2013, a Chinese cyber-espionage group named 'Hidden Lynx' made several attacks on the digital code signing certificates of security companies.

Social engineering attacks prey on the nature of humans to be helpful and trusting, and many individuals are unaware of how these attacks look like. Even if the employees of a company are trained to spot such frauds, third-party contacts can still compromise security.

Therefore, such attacks are difficult to prevent completely. However, in order to make it difficult for social engineers and discourage them from attacking, some preventive measures need to be taken.

✦ Training should be provided in small pieces rather than as a whole, so that it is easily understood.

✦ Using simulated attacks of likely fraudulent scenarios will help in identifying the signs of social engineering.

✦ Make sure that employees are trained to politely question people they don't know, about their presence in the office premises, and ensure that regular sessions and talks about security issues are held, so the problem of social engineering is always fresh in the minds of the employees.

This list of preventive measures is by no means a complete one. However, it is hoped that the information has gives you some food for thought. Social engineering attacks occur on a daily basis, and it is important that awareness is maintained, so that one does not give out information just because the attacker asked for it nicely.