“An art of exploiting Human Psychology”-Social Engineering

Shivashankar Saravanan
Social Engineering,Phishing,Vishing,Spear phishing,Whaling
Share and Support Us

“An art of exploiting Human Psychology”

Nowadays it has become harder to fight against the social engineering attacks than the technical attacks because the social engineering attack has the capability to bypass all technologies including the firewalls. 

What is Social Engineering? 

Social engineering is a technique used by attackers to persuade people into performing actions and revealing private information that may be useful for fraudulent purposes.

In today’s world humans are more susceptible to attacks by the bad guys than machines. So it is very important for an organization to create a safe environment by creating awareness among its employees to avoid such attacks and explain them about the consequences of such instances and the damage it causes to the reputation of the organisation and financial catastrophe it might bring.

Below are the types of Social engineering principles and techniques used by attackers and how to mitigate them.

Principles of Social Engineering:

Social engineering attack depends on a few principles. They are: 

Authority: 

People usually obey instructions from those in authority. In this case a social engineer is the attacker and pretends to be someone who has authority and thereby leads the victim to reveal any sensitive information for example, credit card details.

Intimidation:

In this case the attacker might try to intimidate the victim by threatening. For example the attacker might blackmail you so that you reveal sensitive information.

Consensus: 

In some instances the attacker might provide the victim with false pretenses stating that a colleague/friend in the organisation once provided them with the necessary details and request you to share the details once again for example, banking information and pin codes which are required for a wire transfer.

Scarcity: 

Social engineers use time as a tool to get the victim to perform instructed tasks within a stipulated time to gain access to any confidential data the attacker seeks. The victim will have only a limited amount of time to do the said actions and hence would do so without thinking.

Urgency

This is similar to scarcity. The attacker uses this principle to get things done much faster than usual. The attacker might impersonate someone from the company and ask the victim to provide details immediately without giving him time to think.

Familiarity:

Familiarity is a social engineering principle where the attacker builds a rapport with the victim and then implements the attack. Now that the victim is familiar with the person/attacker, the victim would provide the attacker with confidential data.

Social engineering Techniques:

Social engineering attack techniques come in many forms and can be implemented in any situation that involves human interaction.

The following are the types of social engineering attacks used by attackers to gain your confidential data.

Phishing 

Phishing is one of the most popular forms of social engineering attack which involves the attacker sending a mail or text message to the victim in order to obtain sensitive information like username, passwords, credit card details etc. Which can in turn be used by them for illicit activities.

Spear phishing

Spear phishing, also known as targeted phishing, is an attack where the blackhat hackers target a very specific group of people in the organisation. When carried out perfectly, it is very hard to detect them and the victim ends up exposing sensitive data .

Whaling

Another form of phishing attack which targets the most highest executives of the company is called whaling. This attack targets the chief c-level executives of the organisation which often leads to loss of sensitive data like intellectual property, company trade secrets, which will in turn cause catastrophic financial loss, reputational damage through the victim to the organisation.

Vishing

Vishing, also known as voice phishing, is an attack that is done over the phone. The bad guys usually spoof a caller ID so that the attack looks like it comes from a familiar number so that the victim responds to it. Examples of a vishing attack can be receiving calls that say your bank account has been compromised, you are eligible for a loan, you have won a prize etc and ask you for personal information which can be used for fraudulent activities.

Tailgating

Another type of social engineering attack which is very prevalent and is easy to implement if left unnoticed, is the tailgating attack. Tailgating is a technique in which the attacker uses someone else to gain access to a building or any workspace environment.

An example of a tailgating would be, when an employee of an organisation holds a door open for someone who is entering the building or for a visitor without badges. This can be a very serious issue because the intruder will have access to the workspace.

Why is Social Engineering Dangerous?

The reason Social engineering is such an effective attack is because of people. People are the weakest link in the system and they are the prime targets of the black hat hackers. A successful social engineering attack can result in loss of private data like PII, Intellectual property, user passwords, the hackers  gaining access to the physical system, Possibility of malware being installed in the system etc. According to a survey based in the UK, 98% of cyber attacks rely on social engineering which makes it one of the most dangerous attacks.

Social Engineering Mitigation : 

Social engineering can be prevented from taking place if awareness is created among the employees. The top three steps to mitigate social engineering attack in an organisation would be:

i) User awareness and training which is one of the most important measures to mitigate this attack. The users should be given training about the different types of attacks. The people are the weakest link in the system and with proper training, such attacks can be mitigated and sensitive data can be secured.

ii) The next step would be to not reveal any of your personal details to anyone. If you are not familiar with the sender of the email, discard the email.

iii) The third step  would be to set up the spam filter. Most of the email services nowadays come with a spam filter. By setting up a spam filter, any suspicious mail, links will be discarded and it makes it easier to organise the emails. By doing this, it becomes hard for the hackers to reach you and all your confidential data remains safe.

A social engineering attack is one of the most effective and unique ways to obtain sensitive data because it follows these principles and is also very hard to find out if left unnoticed or if the employee lacks awareness and training.

If your IT infrastructure system is compromised or if you would like to be prepared you can contact us at info@rootfloe.com for a free consultation.

Related posts

Leave a Comment