Criminal Law, Cyber Crimes, Cyber Law, Cyber Lawyer, Cyber Offenses / Contravention, Data Privacy, E-Commerce Fraud, Information Technology Act, Internet Fraud, Legal

What are Social Engineering Attacks ? and how to protect yourself ?

In the context of cyber security, it uses psychological manipulation to trick users into making security mistakes or giving away confidential data/information. It is used for a broad range of malicious activities accomplished through human interactions. With the help of basic means, i.e., phone calls, emails, SMSs, VoIP Calls, and other, cyber-criminals or social engineers or fraudsters trick people to get confidential or personal data/information.

Let’s see most common social engineering attacks

Phishing-Textual and Vocal

Textual form of Phishing includes:

  • Spear Phishing– Cyber-criminals or phishers targets the person via specially crafted E-mails. Phishers do a complete social profile research about the target so that they can trick with target’s mind to get desired information.
  • Whaling– In this technique cyber-criminals targets the high ranked officials of the company or organisations who are considered to be big players in the information chain .Technology, banking, and healthcare are the most targeted sectors for phishing attacks.
  • Email Spoofing– Easiest types of phishing used to get data from the target without the deep knowledge of the target’s profile. It can be done in different ways:
  • Sending an email through a familiar username asking for some money or personal information.
  • Impersonating the identity of an organization and asking employees to share internal data\

Vocal form of Phishing would include:

  • Vishing– Phishing done over phone calls. Voice is the interface for this type of phishing. Phishers communicate confidently over a call in the name of friends, relatives or any known brand, without raising any suspicion.
  • Call/SMS spoofing- Target receives the call/SMS from the known number asking for personal or confidential information/data. But, in reality, the number showing on the target’s screen is not the number from which the call/SMS is placed.
  • Pretexting – Cyber-criminals obtain information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task. The attackers usually start by establishing trust with their target by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority.
  • Baiting – Baiting attacks use a false promise to pique a target’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.
    • Attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential targets are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.
    • Target pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.
    • Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or those encourage users to download a malware-infected application.
  • Scareware – Scareware involves targets being bombarded with false alarms and fictitious threats. Targets are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.
    • Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.

How to keep yourself safe from Social engineering Frauds

  • Don’t open emails and attachments from suspicious sources – If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Remember that email addresses are spoofed all of the time; even an email purportedly coming from a trusted source may have actually been initiated by an attacker
  • Use multifactor authentication – One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise.
  • Be wary of tempting offers – If an offer sounds too enticing, think twice before accepting it as fact. Google the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
  • Keep your antivirus/antimalware software updated – Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.
  • Consider the source– A found USB stick isn’t necessarily a good find. It could be loaded with malware, just waiting to infect a computer. And a text or email from your bank isn’t necessarily from your bank. Spoofing a trusted source is relatively easy. 
  • Slow down– Social engineers often count on their targets to move quickly, without considering the possibility that a scammer may be behind the email, phone call, or face-to-face request on which they’re acting. If you stop to think about the ask and whether it makes sense or seems a bit fishy, you may be more likely to act in your own best interest — not the scammer’s.

Leave a Comment