Social Engineering attacks : How to prevent?
Social Engineering is not an engineering discipline unlike people think of it. A very good example I came across a few days back was when an interviewer asked an interviewee about the concept of Shell bank, and the reply was hilarious i.e. bank that belongs to a shell company is a shell bank. The same is the case of Social Engineering where people start considering it as a classical engineering discipline. In reality, Social Engineering is a cybersecurity attack where humans are deceived through social interactions, persuading them to share secret information apparently for their benefit but in actuality enables door for unauthorized access to the user system.
The more we are embracing technology, the more we are becoming prone to cyber threats. Due to the heavy flow of data among users utilizing various online platforms, digital services, gadgets, and digital tools readily accessible to the end-users, the chances of getting trapped by cybercriminals is high than ever, particularly after the emergence of COVID 19. To be safe physically, people have started trusting these online platforms, tools, and techniques to communicate, learn, and grow their businesses, however, alongside physical security, this also increases the probability of confronting the users with digital attacks in cyberspace.
Social engineering is not a technical way of getting access to critical systems rather than it is the method fraudsters use to manipulate users to reveal their confidential information and get access to inaccessible critical resources. Human though a great source for an organization to run but is equally vulnerable as they could easily be tricked to share secret credentials to fraudsters and make organization susceptible to a security breach and financial and reputation loss.
“ There’s no technology today that can’t be overcome through social engineering.” (Kevin Mitnick, former hacker & social engineering expert)”
Having the best technical resources at hand, employing the best cybersecurity solutions, best security precautions in place, no company is safe as every company has a factor of risk that is hard to comprehend and that is the human. Rather than infiltrate a security system, attackers realize that a major threat is human (the core of an organization).
Social Engineering criminals take advantage of the human psyche, greed, and curiosity. Social Engineering encompasses a wide range of malicious activities achieved through human interactions, tricking them to commit a security mistake or just trust malicious activists and share sensitive information.
Security becomes meaningless even for a well-controlled and safe organization if access details of key persons are handed over to social engineering hackers. This enables fraudsters irrespective of their technical knowledge, programming skills, and no risk factor to infiltrate a company’s financial system.
According to the report on social engineering, among cyber-attacks, 98% come from social engineering attacks. Further, the report states that about 21% of present or former employees employ social engineering in one way or other to get financial benefit.
Social engineering is a type of social hacking. Many among us should have experienced phone calls or SMS from an unknown phone or cell number or even sometimes from some specialized number of a payment system provider or operator claiming to be a genuine company representative. In the previous couple of years, a surge has been seen due to over-reliance on digital channels for money sending, receiving, or bill payments.
Classification of Social Engineering Attacks
SE attacks are mainly classified as Direct & Indirect Attacks and are further subdivided into other specified categories based on the intention and media used for social engineering attacks.
1.Direct Attack — Attack established through direct communication among two or more people. As SE is a social process where before attack communication takes place, initiated by the attacker who wants to commit fraud and gain access to the system by getting credentials from the target. It can be face-to-face, voice interaction, or eye interaction. This communication can be unidirectional or bidirectional.
Unidirectional — means one-sided communication taking place between attacker and target. It includes recorded phone calls & text messages etc. delivered to the target persuading for some activity. These are based on human psychology and emotions. Phishing email sent from an attacker to targets with a link for emotional blackmailing or information sharing is good for this sort of social engineering attacks.
Bidirectional — bidirectional means two-sided where two or more parties i.e. attacker and target communicate. The parties may be an individual, group, or organization. Usually, this involves influencing and impersonating people to encourage them to share sensitive or personal information to gain access to individual or organizational sensitive systems and data.
2. Indirect Attacks — those attacks where a third-party medium is utilized to influence the target. The communication is not directly between the attacker i.e. social engineer and the target. This category also comes under the umbrella of technical attacks. It includes web pages, social media sites, or flash drives, etc. a flash drive is left somewhere encouraging people to use it. Once it is inserted in a personal or organizational computer, it opens backdoor access to an organizational system for stealing sensitive information.
Social Engineering attacks
Based on the scenarios discussed, goals, and types described, SE attacks are given various names.
- Pretexting — Pretext means saying something inaccurate, serving something to hide plans. In pretexting, the scammers or fraudsters bring forth a false convincing story or pretext to dupe the victim. Cybercriminals keep the actual agenda secret and sugar-coated misleading stories convince the target to give up secret information. This does not happen overnight rather get into conversation and start real investigation attacker first gets information about the victim to be able to attack with the right pretext. This sort of attack usually begins with hello or hi & ends with financial and reputational loss for individuals and organizations. Pretext can be a job offer, hint to a friend helping him out for access to something. Many of us have experienced getting emails from unknown email IDs but with a valid/impressive name of the email service providers or some immigration authorities asking for providing personal details to offer you immigration or you are the lottery winner. Many people get trap in this way. Sometimes an employee receives a message from high profile person in his or her company i.e. CEO or MD asking for some quick action of money transfer or information sharing. This creates pressure on the employee who inadvertently misjudges and acts in haste resulting in financial loss to the company.
- Tailgating — People also recognize it as piggybacking. Usually, tailgating is a way of getting access to a place without security clearance by following someone who is allowed access to the premises. He may ask an employee to hold the door for him to pass by avoiding electronic clearance giving pretext of being someone who is there to fix an issue or he has to meet someone.
This way attackers get access to an organization and may do manipulations. to data. Tailgating can be done using a USB stick for wireless access or can even access an organizational network with Wi-Fi having a known password.
- Baiting attacks — These are just like phishing attacks inviting users to click on a link for a favor or download some free stuff. These attacks are Trojan horse attacks because they can also work as a physical device security threat. A USB device used outside in a coffee shop or internet café or somewhere else may get infected with malware & once the user inserts it in a personal computer or an organization computer, the malware activates and does malicious actions behind the scene in the background.
- Vishing attacks — these attacks are committed via phone call. The attacker reassures the receiver to share sensitive information for a financial or promotional benefit. This is a direct social engineering method and bypasses extra levels of email or SMS. Many people fall prey to these attacks as it is committed successfully having customers unaware of such fallacious tactics from the attackers.
- Smishing attacks — these attacks are committed using text messages. It misleads and convinces users to share sensitive information. Criminals send text messages containing embedded Uniform Resource Locators (URL) that can be re-directed to malicious sites. These attacks are very popular as well.
- Water hole attacks — In nature predators wait and look for a chance to attack and prey near watering holes. Cybercriminal observes or guesses the website an organization intends to use and visit frequently. They flood one or a few among these sites with malware to get access to targeted pages. Usually, government, defense, or healthcare, or other organizations of public interests could be victims where criminals identify weakness in cybersecurity.
Preventive Measures
Prevention is better than cure because once social engineer gets access to sensitive information, the associated losses happened cannot be undone. The best way to prevent Social Engineering attacks is to train and aware users by sharing real-life scenarios with them. Lack of knowledge about pretexting allows users to detect nothing unusual about pretexting requests. Careful checking of email IDs from which fraudsters send phishing emails is very important. Employees of an organization need to check the sense of urgency, suspicious links or attachments they receive, and the language of the email body i.e. grammar & spellings, etc. This way users can judge whether these belong to real senders/organizations or not.
To prevent Social Engineering attacks, individuals or employees of any organization in general and financial institution in particular, need to do:
- Avoid sharing personal information neither on phone/email nor via SMS
- Avoid sharing financial data or information with anyone
- Pay special attention to all URLs received via email or text etc. as these might be very closely resembled the actual company websites & may convince the user to share personal or financial information.
- Never trust the sender’s favor of supporting you or asking you to support the sender. If the receiver does not request anyone, never rely on any support online. Make sure the genuineness of the sender before any reply.
- Whether individuals or official working in a company both needs to keep antivirus and windows defenders up-to-date.
- To avoid physical unauthorized access to sensitive sites, companies need to adopt proper protocols
- To avoid physical unauthorized access and tailgating to sensitive sites, companies need to adopt proper protocols. Also should ensure that data and information systems are properly locked and in possession of tight security.
- Ensure data security through effective implementation of User IDs & password & better employ Two Factor Authentication (2FA).
- Proper guidance and implementation of cybersecurity across the board is necessary to avoid theft
These preventive measures and best compliance practices are the need of the day, however, Social Engineering is tough to avoid. Companies should ensure to have good monitoring practices and tools in place. Organizations need to have a Cybersecurity framework so that in case of any malicious activity, the system will generate an alert prompting the IT administrator or the Cybersecurity Manager. Last but not the least, the logs maintained should be monitored, checked, & analyzed for abnormal activities performed by users to avoid any theft or unauthorized access.
