Social Engineering Tips

Social Engineering is a hacker's clever manipulation of the natural human tendency to trust. The hacker's goal is to obtain sensitive information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. Types of social engineering attacks include pretexting, phishing, IVR or phone phishing, trojan horse, baiting, quid pro quo.

Here's how you can shield yourself against social engineering attacks:

  • Beware of the consequences of disclosing any information knowingly or unknowingly.
  • Watch out for phishing scams in form of fraudulent e-mail messages and web sites that impersonate legitimate business to trick people into revealing personal information.
  • Avoid clicking on unknown or suspicious links in e-mail messages to visit web sites, even if they seem to be legitimate.
  • Install a comprehensive security software on your computer, including anti-virus, anti-spyware and firewall protection-and keep it up to date.
  • Be cautious while opening e-mail attachments, regardless of who sent them.
  • Take care before sharing e-mail addresses.
  • Make sure web sites are secure before visiting and providing personal information.
  • Use strong passwords.
  • Use caution when communicating through instant messaging - do not share sensitive information.
  • Avoid using any financial details like your credit card number on shared computer at cyber cafes or other public locations.

Staying well informed on how these social engineering attacks occur always helps.

  • Pretexting

    Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, ATM PIN, last bill amount) to establish legitimacy in the mind of the target.

  • Phishing

    Phishing is a criminal technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or Credit Card company— requesting "verification" of information and warning of some dire consequence if it is not provided. The email usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a user-id, password, ATM card number to home address.

  • IVR or phone phishing or Vishing

    This criminal technique uses a rogue Interactive Voice Response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the ‘bank’ via a (ideally toll free) number provided in order to ‘verify’ information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords to exploit in other cases. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.

    A criminal could even record the typical commands (‘Press one to change your password, press two to speak to customer service’ and so on) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.

  • Trojan horse

    Trojans take advantage of the victims' curiosity or greed to deliver any malware. An example of a Trojan might be the 'e-mail virus' which arrives as an e-mail attachment promising anything from a 'cool' or 'sexy' screen saver, an important anti-virus or system upgrade, or the latest gossip about a celebrity.

    Victims succumb by opening the attachment which is then activated. Since naive users might unknowingly click on an attachment without considering legitimacy, the technique can be quite effective and a number of these cases, for example, the ‘ILOVEYOU virus’, even made international news as a result. Similarly, a program which grants the attacker access while hiding inside other software (spyware being an example) or by pretending to be something it is not (for example a download pretending to be a 'free' copy of a new software title) behaves much as the famous horse of Troy and allows an attack from inside the computer system.

  • Baiting

    Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.

    In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company. This technique may not be very effective as many companies have proper scanning systems in place, before any activity takes place. But individuals may fall a prey to this act.

  • Quid pro quo: Something for something

    An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will help solve the problem and in the process have the user type commands that give the attacker access to launch malware.

Read more