December 6, 2022
What is Social Engineering? Is it a branch of Engineering? Is it taught in engineering colleges?
No. Social Engineering is the strategy / “tricks” used by scamsters to target the psychological instincts of common people so that they become lax or less cautious and commit serious information security mistakes. These mistakes, for example, visiting malicious sites, parting with login credentials such as user-id and password or any sensitive / confidential personal information. The psychological vulnerability that these criminals are playing with, could be greed, windfall gains, jealousy, curiosity, charity, ego trip, or fear.
Social engineering contrasts with hacking or accessing personal / sensitive information by exploiting security lapses of computer systems. Unlike hacking / planting malicious programs by taking advantage of weak security in computer’s operating system or in software / databases, social engineering tries to manipulate (i.e., “engineer”) human emotional reactions and get the information / data from the individuals themselves. Hacking is an intrusion into computers, social engineering is an intrusion into minds of the targets and conditioning / tricking their minds to act without suspicion, endangering the computer, and handing sensitive / confidential information to the scamsters.
To give an example in day-to-day life, if a person asks your date of birth, you may be hesitant to disclose. However, if the businessman asking your date of birth mentions that he needs the date of birth to send personalized “offers” to you on your birth day, you may disclose the date of birth without hesitation. But the fact is, you are handing over sensitive personal information, because date of birth itself is part of login credentials for many web sites. There are many similar examples when people extract personal information using ruses / tricks to appeal to the weak points of human mind. The same phenomenon is found in the digital world also, and is known as “Social Engineering”.
As people spend more time in the “internet world”, the chances of being targets for social engineering “attacks“ by scamsters increases, just like the chances of robbery, cheating or theft increase if a person constantly moves around in a place with teeming crowds all around. In both cases you are dealing with people whom you do not know.
There are ways in which “social engineers” keep looking for “prey” in the World Wide Web (www.). They are constantly on the prowl and launching “attacks” on users. These attacks themselves may be staged through computer software on large number of “prospects”. The attack could come in the form of SMS, WhatsApp, email, phone, chats or as pop-up while surfing the net.
Unfortunately, most human beings will be happy to “receive something without paying”. Most social engineers exploit this weakness by offering something for very cheap or free. Just look at this SMS, “Watch Football World Cup 2022 without paying subscription, click this link to accept the offer”. This is a “bait” for which many people might succumb to. The link might cause your computer to crash / malfunction or it might plant malicious software on your mobile or laptop. A similar technique is messages/emails informing you of “beautiful singles near you” and asking you to follow a link or leading you to a malicious / suspicious web site.
Scare mongering is another technique used by social engineers (scamsters). Sudden pop-up message raising a scare that “your computer is infected. Click here to clean and save the data”. This is a false alarm, but of out of fear and concern for your computer / mobile, one might heed this advice. Instead of cleaning the system from malware, the process might scour your system and steal all confidential information.
Another scam to extract information from gullible public is job sites. There are many job sites where hundreds of job openings are put up. Unemployed aspirants will register themselves and fill online “application”. They will give out all their personal information to the cheats hiding behind the “job site”, with the hope of getting a job. Many such fake job sites ask the prospects to fill legal name, full address, phone number, email, date of birth, PAN number and many more details. In reality, the job site might just be a ploy to collect this information and use it for nefarious purposes. Romance / dating / escort sites are also surrounded by scamsters looking for guinea pigs.
Many times, users get messages asking them to do an action and giving a link to a site / redirecting to another web site. The site shown appears genuine. The email / pop-up message exhorts the user to do the action urgently with hints of inconvenience or risk if not acted upon. For example, a user might get a message stating “your KYC details are out of date. Pls login to bank site and update”. The user might login to the fake site duly typing his bank user-id and password (The fake / clone site is programmed to accept any user-id and password). He will update the KYC details in the clone site and in the meanwhile, the scamsters have stored his login-id and password which they can use to enter the real bank site and siphon off the balance in the account. Another example could be, one is navigating in a betting site, and suddenly a pop-up appears “Your web activity is punishable offence. Pay the penalty” and redirects him to a site looking similar to Government site and prompting him to enter his credit card details for recovery of penalty. This is an effort to impersonate and generate fear psychosis in the user.
It is important to note that social engineering is not just feature of internet, it is possible to receive these “attacks” through phone calls also. Remember callers claiming to be from “bank” telling “Your ATM card has been blocked…pls give details so that same can be unblocked.”
There are many other techniques in vogue where scamsters try to extract information or to make the user commit information security lapses, infecting the computer with virus or resulting in data theft.
Some of the ways in which you can make yourself less prone to social engineering attacks:
Have a good and updated anti-virus protection for laptop / mobile.
Do not click on links or download files sent by unknown entities.
Any message (SMS/chat/email/voice call) asking you to do something urgently or offers something too good to be true is suspect.
Never entertain “technicians” who come to doorstep (without your request) to speed up your internet, claiming to be from your Internet Service Provider (ISP).
Never share OTP with anyone.
Opt for two factor authentication (e.g., password as well as OTP) for logins.
If you receive any call or email claiming to be from bank, pls call the bank on phone and double check the genuineness.
When you are dealing with unknown unseen entities, best way is to be cautious, circumspect, and not to fall victim to the mind tricks of criminals / impersonators.
Better to be circumspect and safe rather than trusting easily and getting conned by confidence tricksters.