In the era of rampant cybercrimes where newer techniques evolve each day, ‘social engineering’ is not a term unheard of. So, what is Social Engineering? Is it a new branch of engineering that you never that your college is not offering? Well, no! It has nothing to do with engineering AT ALL!! It is a technique used by cyber criminals to defraud innocent victims. Here’s all that you need to know about social engineering attack techniques. Also, some handy tips to avoid being a social engineering victim.

What is Social Engineering?

Social Engineering is the trending technique for trapping gullible individuals into divulging their personal information. Rightly called ‘social engineering’ as it exploits a person’s natural tendency to trust another individual. Social Engineering is more of an art! Know why? Because it requires a certain mastery to manipulate people into entrusting another individual, usually a stranger, with personal information.

Miscreants find it easier to employ social engineering to gain personal information than use traditional techniques such as hacking. Social engineering attack techniques vary as per the final objectives of miscreants. Some may seek information such as passwords and financial details to cheat victims of money. Likewise, some use this technique to gain access to the victim’s computer to covertly install malicious software. This enables them to gain control over their systems and access their personal information.

The Crux of Social Engineering Attacks

Trust is crucial for an individual’s security –in the physical, emotional space as well as cyber space! Not knowing when and whom to trust is the trait that cyber criminals look for in a potential social engineering victim. Social engineering attacks exploit the gullibility of individuals into trusting online communication or information.

With the colossal upsurge in fake websites and spam emails, it is important that you know what and whom to trust in the digital space. Be cognizant of the legitimacy of online information. DO NOT accept any information or person at face value. This is the biggest weakness that ‘social engineers’ exploit to trap victims!

Some Common Social Engineering Attack Techniques

Unscrupulous agents use different forms of social engineering attack techniques based on the gullibility of the target victim. The social engineering attack lifecycle consists of 4 basic steps – Investigation, Deception, Play and then Exit.

Even a small point of human interaction is enough to execute a social engineering attack. The following sections shall enlighten you on the tips to avoid being a social engineering victim. But, before that, here are some common social engineering attack techniques.

1. Baiting

This technique exploits the victim’s tendency to react to a bait that attracts his/her greed or curiosity. Miscreants lure victims into a trap with the intention of stealing their personal information or infecting their systems with malware. It is possible to execute baiting in both the physical as well as cyber space.

Example:

(a) Baiting in the Physical Space

A typical example of such social engineering attacks involves using malware-infected flash drives as the bait. Social engineers usually leave them in a place where a victim is most likely to notice it. This includes places such as elevators, parking lot and bathrooms. Most times, the bait looks quite enticing and may have a label denoting ‘bonus’ or ‘confidential’ stuck on it.

Usually, the victim picks up the flash drive out of curiosity and inserts it into his/her personal or corporate system. Voila! Mission accomplished!! The infected flash drive does it work of installing malicious software in the system.

(b) Baiting in the Cyber Space

In the cyber space, perpetrators deploy such social engineering attack techniques on peer-to-peer sites offering movie and/or music downloads. Furthermore, they may also deploy baits on social networking platforms and a malicious/fake website that entice an individual through ads. Such ads then lead to malicious websites that persuade the victim to download malicious software. The malicious software could be a malware or virus that enables the cyber criminals to access the victim’s sensitive data.

2. Phishing

Phishing is one of the most common social engineering attack techniques. In this, the fraudster uses online communications such as email or SMS to gain the victim’s trust. The email/SMS campaigns are so crafted that they look strikingly legitimate and evoke a sense of curiosity, urgency or fear. This encourages them to respond by divulging sensitive information, opening attachments containing malicious software, or clicking on malicious links.

Example:

A common phishing mail is when users of an online service receive a notification citing ‘unusual login activity’. Or, an email alert citing temporary suspension of the account due to an error. The email contains a link which leads to a malicious website meant for stealing the victim’s credentials.

3. Scareware

As the name itself suggests, scareware is a social engineering technique wherein perpetrators use false threats and bogus alarms to cheat victims. Also known as fraudware, rogue scanner software and deception software, it prompts the victim to install a bogus software citing a malware infection. The software installed may itself be malware or may enable the perpetrators to obtain the user’s confidential details. Scareware is often distributed through spam emails containing bogus warning or offers.

Example:

The user receives a pop-up informing him/her of a malicious spyware infection to their computer. The pop-ups look pretty legitimate thus leaving no scope for doubts. It urges the victim to install a corrective tool (usually containing malware) or leads him/her to a malicious site.

4. Pretexting

Pretexting is a social engineering technique that uses an interesting ploy to deceive victims. Once the perpetrator gains the victim’s trust, making the latter disclose sensitive information become a cakewalk. Did you know that successful pretexting attacks have tripled since 2017?

Following are some common pretexts for deceiving victims into divulging their personal information:

• Urgent call for help citing a friend or kin robbed, injured or hospitalized in some other country.
• Fund-raising donation for a natural disaster, political campaign or charity to play on the victim’s generosity and humanity.
• Present an issue that requires the victim to verify his/her information by clicking on the link provided or filling an online form.
• Notifying of a lottery or contest win that requires the victim to enter their financial details.
• Posing as a co-worker or boss to demand personal or financial information.

Example:

The victim receives an email declaring him/her as the winner of a sweepstake that promises an attractive sum of money. The sender of the email then asks the victim to call a particular number or click on the link provided. The victim’s greed for the lottery win often lures him/her to disclose sensitive bank details to the conman.

5. Quid Pro Quo

In this social engineering technique, miscreants lure victims with favors or benefits in exchange for something, usually information. Remember that if the offer sounds too good to be true, it might be nothing more than a trap!

Example:

The perpetrator impersonates an IT support technician and calls the target victim. He assures the victim of a quick technical fix. Innocent victims end up sharing their login credentials with the caller in the hope of genuine technical support. This enables the fraudsters to have access to the victim’s computer to install malware or extract personal information.

Tips to Avoid Being a Social Engineering Victim

Social engineering attacks are now prevalent everywhere – online and offline. The best defense that one has to keep social engineering attacks at bay is by education and awareness. By now, you must have had a fair idea of the common social engineering attack techniques. Consequently, keep these tips to avoid being a social engineering victim handy!

1. Be Slow & Steady

If you receive an unsolicited call, SMS or email that evokes a sense of urgency or panic, be cautious. This is what social engineers want! That you act promptly and think later.

2. Do Your Homework

Do not take anything at face value, especially if it seems too good to be true! Do thorough background research when you receive unsolicited emails/messages promising huge and often, unrealistic benefits. Spam emails often look like they are sent by a reputed company. Check the company’s official website and if required, call them and verify the authenticity of the mail.

3. Abstain from Clicking Links

Wherever possible, avoid clicking on suspicious links in pop-up notifications or emails. It is better that you visit the website yourself through a search engine. When you hover on a link in an email, you can see the actual URL at the bottom. Use this technique before clicking on random links.

4. Download Wisely

Refrain from engaging in random downloading of files. Some pop-ups or spam emails may urge you to download an anti-virus software or some other tool for your system. By doing this, you are yourself downloading a malicious software in your system.

5. Be Cautious of Foreign Offers

Individuals often react with greater greed and curiosity when a lottery/sweepstakes win comes from a foreign organization. Be cautious of any request involving the transfer of funds from a foreign country or an international sweepstake.

How to Protect Yourself from Social Engineering Attacks?

Protecting yourself from social engineering attacks is not rocket science. It just requires a little bit of awareness, cautiousness, and watchfulness. To summarize, here’s how you avoid being a social engineering victim.

• Delete requests for banking details or passwords immediately.
• Do not entertain email/call/SMS requests for charity or offers of help.
• Deploy adequate spam filters for your emails and set them to ‘high’.
• Secure your computing and mobile devices with adequate firewalls, email filters, and genuine anti-virus software.
• Avoid picking up and using unclaimed USB devices on your computer.

Incognito Forensic Foundation (IFF Lab) – Your Awareness & Diagnostic Partner

Incognito Forensic Foundation (IFF Lab) is a private digital and cyber forensics lab in Bangalore. Equipped with state-of-the-art digital forensics tools, a sound team of cyber forensic experts forms the core of IFF Lab. It provides services for investigation of cybercrimes as well awareness and training programs for law enforcement agencies, educational institutions, corporate bodies and other public and private organizations.