The art of social engineering
May 12, 2023
‘Social Engineering’ could be considered an art, as it entails creativeness and great imagination. Unfortunately, unlike beautiful artifacts, this art aims for the manipulation of human mind.Influencing a human target, to perform the desired task or to divulge valuable information, requires skills, responsiveness and overall, an artistic behavior with a proper mindset. It aims to succeed weaknesses exploitation, with material impact to those which lack subject knowledge. However, if a fraudster is not equipped with such ‘charismas’, guidance on how to manipulate is available at the bad actors’ chart forums, like the darknet, where hacking services are also facilitated via specialized Software as a Service (SaaS) applications.But let’s go from the top, what is Social Engineering? Blandly, it is the science of people Hacking. A term that came with the rise of cyberspace, which paved the way to blossom into what it is today. An average person at present may be familiar with the term given the cyberspace terminologies, however, excluding the elderly which until recently had no interaction with the internet. The elderly group has become the focus target for Hackers, with no signs of remorse, which highlighted even more the criticality of the subject.As per the Federal Bureau of Investigation (FBI), ‘US citizens lost over $10 billion due to phishing calls by illegal Indian call centres in 2022. Most of the victims of these fraud calls from Indian phishing gangs were elderly US citizens above the age of 60 years who lost over $3 billion’.As a response to the above, whilst recognizing the criticality of the subject, organizations invest on the personnel training. Infocredit Professional Education is one of the vocational training centers with specialization on Risk Related Seminars and facilitates customized seminars that aim to set the proper security culture to any individuals and company employees. Evidently, as Covid-19 exponentially accelerated the dependency of people to the Internet, it triggered a great opportunity for hackers to exploit. Especially at present, where today’s network systems have grown stronger and not so easy to infiltrate. The bad actors are forcing to pursue back doors to security systems, while they manage to obtain assistance through the manipulation of human mind, that directly or indirectly controls internal systems and sensitive information.Employees have become one of the biggest threats to an organization, despite the arrays of protections set in place, and the implementation of security standards including ISOs’. Consequently, social engineering is mainly used to succeed ease of malware infections, targeting data breaches or the control of information, which dramatically at an average takes months for companies to realize. Data breaches in 2019, while indicating a 33% increase from 2018, in the 1st quarter of 2020 rose to 273% with a trend that continues beyond 2021. Domestic and international losses are attributed to Business email compromises (BEC fraud) in the range of tenths of $ Billions.Human risk is therefore an organizational issue, where security awareness is of the utmost importance to maintain, thus must encompass an appropriate security culture. A culture which is required to be continuously cultivated and monitored, as it never reaches full perfection given the dynamic environment of cyberspace. Training platforms have been developed and offered through SaaS applications, where company administrators are provided with tools to compose fake phishing emails aiming to test their employees’ knowledge, awareness, and thus reinforce them to sustain such attacks.So, helpful for awareness and deterrence, is to know or remind some of today’s social engineering methods:
- Phishing is when asking for information through an email, which at most times appears to be coming from a trusted source. An example could be an email from your bank requesting to confirm or validate your bank account data, which will be enough to provide access to your funds and succeed to proceed with an account takeover.
- Vishing and Smishing are variants of Phishing, where the first is conducted through voice solicitation pretending to be calling from a ‘call center’ or posing as a co-worker or the likes, and the other is conducted purposely the same via SMS text messages.
- Pretexting uses a pretext to gain attention, like that of a survey where at the end it manipulates the bait to provide its bank account information.
- Social media account or email hacking aims for the access to a victim’s contact list, posing as a friend that forwards a ‘must see video’ with a link to a malware, or a keylogging trojan, which will expose all keypad activities for exploitation.
- Baiting involves a physical trap (i.e. USB) that contains malware, where it is left at a position which will attract the attention of the victim, to load up on its device. The device will then be infected and provide a back door to the attacker, leading the victim to great adventures!
- Quid pro quo is when a social engineer offers a service, usually "tech support," in exchange for access to secure information. Often refers to a ‘Call from Microsoft’!
- Impersonation is pretending to be someone else, to gain the trust of the victim and persuade to divulge sensitive information or perform a certain action like an Authorised Push Payment (APP Fraud). This is especially effective given the accelerated use of Deep Fake technologies.
- Farming finally, unlike ‘Hunting’ which refer to the above terms stated as Grab and Go techniques, is the type of social engineering that aims to create a relationship with the victim aiming to extract or infiltrate much more in formation in a length of time. When infiltration is successful the information to be extracted by the attacker will be far greater and harmful.
However, the challenge of enduring the above attack scenarios remains difficult, as it is continuously cultivated, refined, and redesigned to manipulate successfully human characteristics, like the curiosity, respect for authority, ignorance, greed, naiveness, and so on.What are some of the signals that trigger suspicions, or tips to consider?
- Take a moment and think, especially when you feel the sense of urgency or curiosity or reviewing a so called exceptional ‘offer’. Could it be fake? Is it realistic, did you really inherit millions from a Nigerian Prince? Is it too good to be true? So, don’t trust it blindly, it won’t go away if you stop and think for 5 minutes.
- Check the source, where is the communication coming from? Let’s take an email for example,
- look at the email header and check against valid emails from the same sender.
- Look at where the links go - spoofed hyperlinks are easy to spot by simply hovering your cursor over them (never click the link).
- Signs of suspicions
- Unfamiliar Tone or Greeting
- Inconsistencies in Email Addresses with Links & Domain Names
- Unknown sender
- Unexpected or an overall Unusual email
- Threat or a Sense of Urgency
- Suspicious Attachment(s)
- Unusual Request(s)
- Short and Sweet messages prompting a response
- Recipient Did Not Initiate the Conversation
- Request for Credentials, Payment Information or Other Personal Details
- It raises an uncomfortable ‘gut feeling’
- Spam filters provide an automated security layer that one must have. Marks emails that are considered spam, so don’t have to judge unnecessarily, especially at times of pressure. These filters tend to detect and set aside in advance suspicious files or links or analyze messages for fake contents.
- Secure your devices, to limit substantially social engineering exposures.
- Keep anti-virus and antimalware always updated
- Maintain updates of all software and applications
- Passwords must be strong, changed frequently, and be different for each account
- Use 2-factor authentication setting for critical accounts
- Avoid sharing personal information, unless one wishes to help the attacker exploit its profile or accounts. Do not overly share information on public media (i.e. Facebook), or at least just allow access to ‘friends only’. Remove address, phone number and date of birth from personal ‘resume’, if was released on public media, etc.
- Back it up and protect from Ransomware attacks, as are in fashion nowadays. Exercise routine back-ups.
- Penetration or vulnerability testing is essential to uncover vulnerabilities and determine whether unauthorized access or other malicious activity is traceable on a system or device; identify flaws that may pose a threat to installed application(s).
- Report it to the authorities, if have fallen a victim, break the loop and don’t let others fall into the trap.
So where do we take it from here? It all starts with the basics. Education and awareness at all levels is key, on what social engineering is, latest trends and how it can affect us, our organization, or the overall society. Any relevant trainings need to be repeated at intervals to remind that the threat is always here and needs to be contained; it’s near everyone, we could be next, and should never let the guards down and be vigilant.As for the landscape of Cybersecurity, it has become extremely volatile, stressful, and scary. Also, it is distant and almost unreachable by law enforcement, which do not seem to catch up to the fraudsters’ innovations, since the cyberspace environment is complicated with jurisdictional barriers and extreme monitoring difficulties.Following are some of the major myths one should be reminded of, with respect to cybersecurity, and should not acknowledge the following statements:
- We’ve got the Best Security Tools, no need to be afraid of…
- We regularly perform Penetration Tests, so we are good to go…
- We have Peace of Mind, since we Comply with Industry Regulations…
- We partner with a top-notch Third-Party Security Provider, so we can stay relaxed…
- Cybersecurity is not my responsibility; it is the IT that…
- We never encountered Cyberattacks, it will not happen to us…
- We have implemented a Strong Password policy; we are protected From Data Breaches…
- We are a Small and Medium-Sized Business, criminals won’t bother with us…
- Our Systems are intelligent enough; we will be notified if we are compromised…
- Our mobile devices are Secured, so we feel totally protected, …
- We don’t have valuable information worth stealing, why concern?...
In conclusion, always be aware and stay alert, the threat is imminent and can become personal.About Infocredit GroupInfocredit Group is a leading provider of business intelligence and risk management solutions, including Credit Risk, AML/CTF regulatory compliance, Due Diligence and KYC.Aiming to help businesses manage their risks emerging from credit exposure and regulatory compliance it offers a range of innovative, cost-effective, API-driven solutions, in affordable and efficient packages.With a team of experts in the fields of Credit Risk Management, Debt Recovering, Call Center Services, AML/CTF compliance, KYC, Due Diligence, Fraud Prevention, ID Verification, ESG (Environmental, Social Governance) and Vocational Training, offers state-of-the-art customer-oriented solutions that meet the specific risk management needs of any organization.With offices in Cyprus, Malta and UAE, with a presence in Greece and Romania, its services and solutions cover the international market for more than 50 years.