Social engineering involves tactics that make individuals let their guard down.
When is the last time that you received a phone call from a person claiming to be from a bank and needed you to give your PIN number to validate your account details? Social Engineering attacks can take all forms and trick you into divulging information about yourself or comprising the security of your organisation? Attackers take advantage of emergency situations to get access to controlled resources, such as pretending to be a first responder (police officers, medics, etc.).
A senior looking person asks to be let in your office premises claiming that s/he is late for a meeting with the CEO. A person who speaks authoritatively asking for details such as the key code for the door? Would you divulge the code? Or would you challenge the lady who is about to tailgate you?
Your social media sites are a great place for a hacker to start looking for information such as your email-id, phone number, likes, family, friends among other titbits of information.
Did you get an email from someone with a position of authority? Spear phishing relies on the ’colonel effect’ to get you to reveal data. This will be more prevalent for employees that work with defence contractors, government and the military.
Do you trash confidential papers without first shredding, pulverising them? Dumpster divers get your credit card details, addresses and other private information from the trash.Using the information gleaned from these methods, hackers can then work their way to collecting more information about you. Just because you do not do it, does not mean hackers will not do it. There are sites that teach you how to dumpster dive.
A hacker could also leave pendrive/usb sticks in public places with the logo/label of a Fortune500 company with a title ‘Salary Review – Senior Management’. Plug the USB stick and your machine is compromised.
Cultures in some countries such as India may also allow a hacker to gain access to secure locations. For example, a speaker at a security conference claimed to have tested a social engineering tactic at a secure data centre by ‘threatening’ a lowly security guard that he would call the CEO if he was not let in. He also managed to gain access to the secure data processing area by talking to employees. Would that mean that all foreigners are allowed access to secure areas without a second thought? I think not!!
Beware of shoulder-surfers, the ones that try to get your password/PIN by looking over your shoulder and spot the keys that you type in. They may casually approach you at the ‘right moment’. A good training and awareness programme for all employees is necessary to reduce the number of incidents in the office and this awareness also needs to spread to your friends and family. Unsolicited phone calls, visits or emails asking for information should always be suspect. Verify the person by using your own resources not the number or device given by that person. Do not click on any links in an email, on a social media site. Check the URL of the website, this may look identical but keep an eye out for a mispilleng. Ensure that your antivirus and firewalls are installed correctly and up-to-date.
New methods of social engineering are always being tried and tested, be aware, stay secure, keep your family safe.
Further Reading
Track a fake Facebook account
Baracuda Labs Social Networking Analysis
Ravi Miranda 