You can bet on your security mechanism because you have invested in it, and you trust in technology and security but you cannot bet on human psychology. Our computer and security system depends on humans’ mind & heart, and once you gain confidence of a person you can easily exploit the system. Thus, we can build a robust security mechanism, but we cannot work on human psychology. Here, a social engineering can bypass all the defenses of an organization.
What is Social Engineering?
Social engineering does psychological manipulation to influence people’s mind, and lures them to get their confidential information. Attackers gain confidence of users to get information and system access by showing pseudo information. It is a technique to gain advantage of people’s natural tendency to be caring and helpful. Social engineering attacks turn into feasible when an outsider successfully creates trust within a person or organization. It requires a too much groundwork for the social engineer starting from collecting employees’ name to eavesdropping, impersonation techniques.
Types of Social Engineering Attacks:
Social engineering attacks can be divided into two methods: Human based attack and computer based attack. Human based methods include an interaction between two persons to get the likely information. On other hand, computer based methods include a malicious link/application/software that captures the desired data without awareness of users.
Human based Social Engineering Attack:
Impersonation as an Authenticate User:
In this type of attack, an attacker tries to mimic as an employee or a valid user on the system, and gathers information from trashcans, desktops, and PC systems. An attacker pretends to be a contractor, the help desk employee, third party, and tech support to get the desired information from an organization.
Posing High Authority Person:
In this attack type, attacker pretends to be a high authority person and asks for instant assistance to access computer files or system. Social engineer shows fear to a lower level employee to get the log-in credentials. It is obvious that such lower level employees provide answers due to fear of complaint or job losing.
Third Person Authentication:
This technique is useful when an authorized person has access of a computer and he is not available, somehow cannot be called them for authentication. Social engineer acts as an authorized person to use the system and gets the information.
Tech support for Help:
Here, social engineer pretends as a technical support executive and tries to get information from the user over a call. The attacker explains about the need of login credentials to troubleshoot the network problem in many computers. Unless the user is not educated, he shall offer a username and password to the attacker.
Many employees have a habit of writing personal or confidential information on a piece of paper. Social engineer looks into a bin to find passwords, file names, or any useful information. Such technique is known as Dumpster Diving.
Computer Based Social Engineering Attack:
Social engineer may take advantage of a discontented or ex-employee or by becoming an employee of an organization to make a successful insider attack. In this kind of attack, a social engineer may have access to a computer system and can roam in the organization freely. An attacker can get information from a disgruntled employee and use him in an illegal way.
Phishing involves any email pretending to be from a bank, Credit Card Company or any financial organization. Such email has a malicious link that redirects users to a remote website to get confidential details.
Online frauds are traditional forms of social engineering where fake websites offer discount deals or special offers to lure users. Once users provide his details to access the listed offer, the attacker gains access of log-in details and can exploit the computer system.
In URL obfuscation, attackers use a hidden fake URL pretending to be a real website address for example, a website http://www.yourbank.com looks as a real URL, but actually, there is a fake URL (http://www.phishingurl.com) behind that. Such URL is used in a phishing attack that redirects users to a fake IP address or a website.
Why innocent people become a victim of Social Engineering Attacks?
Social engineers make public dupe everyday because of unawareness about social engineering techniques. A human is always bound to his/her behavior and he is the weakest part in any security infrastructure. Attackers use various social engineering techniques on innocent victims and their body posture, speech and confidence which convince people to trust upon. Below are five reasons why people fall for social engineering tricks.
- Social engineers show confidence in drawing attention of people with practical approach.
- Social engineers offer something that creates excitement to grab offer and entice to put blind trust on attackers with confidence.
- They use rumor that seems convincing and adorable to users.
- They put valid reasons and people always listen to such requests.
- They take advantage of people’s fear and curiosity.
Preventive Tips against Social Engineering:
Organization should deliver proper education about social engineering attacks to outline a better security environment. Below discussed are some of the finest steps that can prevent a social engineering.
Whenever organizations rule out any policy amendment, the IT department should inform it to employees & clients via email. We all know that such policy is written in a legal language seems boring. Therefore, people easily discard such emails and never focus on security warnings and suggestion. Organizations need to understand that, this is serious matter because of avoidance of such email. Employees shall never conceive steps to be taken against social engineering if they avoid emails coming from the IT department. It is advisable to consult with employees about potential social engineering tricks. Create a scenario in that explain how different social engineering tricks to manipulate innocent people.
Provide Examples in Emails:
Organizations should send periodic emails to employees about social engineering techniques. When employees see images, they easily attract and believe such emails. Organizations may mull over different topics as fake URLs, phishing scenario, fake tech support call, on-line frauds.
Develop and Share Password Policy:
Password is very sensitive information for any organizations. Organization should develop a password policy and share among employees. Many employees used to keep passwords on a chit sheet, which seems harmful as anyone may get a password and misuse it. Tell employees to use long passwords with the upper and lower case of alphabets. Do not keep date of birth, employee number, and vehicle number as your password, and change your passwords every 60 days.
Checkout our latest post on Password security: “Ding, Dong, The Password’s Dead!“
When any employee makes any effort about security conscious, manager or senior should reward him; it will increase his enthusiasm and alertness towards that subject. The company should publish rewarded employee’s name in its newsletter for being security conscious. Such effort will increase competitions among employees, and it will prove to be an inspirational task for other employees.
Social engineering is evolving concept that alerts persons and enterprises; however, proper guidance and precautions may avert such cyber tricks. The above steps can help human in mitigating social engineering attacks.