Social Engineering in the Age of Information

Artful manipulation is the key to Social Engineering (Source: Google Images)

Social Engineering is the artful manipulation of people that exploits basic human instincts to gain access to personal information about an individual and/or company. Privy to this information, the individual and/or company is now at risk of cyberattacks online, in-person, or through other interactions. Criminals use this tactic to lure unsuspecting users/workers to expose confidential data or to gain access to restricted systems.

There are several tricks commonly employed in a cyber scam. What sets Social Engineering techniques apart is the manipulation of inherent human behaviour thereby, creating a unique area of vulnerability in security mechanisms/systems. Social engineering attacks are based on common human traits such as trust through familiarity, non-reluctant acceptance of authority, reciprocity of a favour, social conformity, greed and more.

For example, a house might have the strongest security system in the world, with guard dogs, burglar alarm systems, fingerprint and facial recognition, but all this fails if an unwitting security guard at the door trusts a criminal who disguises himself as a pizza delivery guy and gives him admission to the house, exposing the house to whatever threat the criminal represents.

Scam techniques like baiting, where assailants offer rewards to potential targets, are now rooted in public awareness, thanks to the personal accounts of hundreds of victims. However, as the quality of security improves so do the crimes.

The following are the major ways through which a social engineer could try to scam one's personal information:

We should never trust anyone with our personal information (Source: Google Images)

(1) EXPLOITING FAMILIARITY - This type of scam involves gaining familiarity with the potential target by meeting them in common areas such as restaurants during meals (as a waiter) or by pretending to be a fellow worker and so on. Once the target is familiar with the assailant, he/she is more susceptible to trust the latter. The assailant might then pretend to struggle to hold lots of files or books outside a room where he needs ID access. Using this familiarity, he might ask the target to hold the door for him and enter the room without any difficulty.

(2) INTIMIDATION USING AUTHORITY - In this type of scam, confidence is key. This might generally involve the assailant staging a heated argument on the phone or with an in-person accomplice followed by the assailant asking for the access code or password to the target who is close by. The target, naturally intimidated by the assailant, might give him the passcode. Assailants might also disguise themselves as important figures in a company or as the known but never seen relatives of the same, to intimidate and collect information about the company.

(3) PHISHING - This technique typically tries to impersonate a well-known and genuine website that users trust and send the victims an email requesting confirmation or updates for their account. This method might also include credit card information. For example, in the eBay scam of 2003, users received emails supposedly from eBay claiming that the user's account was to be suspended unless the victim clicks the link that was sent to them to update their credit card details on the website.

Phishing entails numerous other techniques like quid pro quo attacks where, using the promise of a paid survey, the assailant collects personal information like the name on passport, address, email, etc. Another example of phishing is vishing, where legitimate sounding voice recordings through a telephone system are used to gain financial information. Generally, phishing refers to assailants pretending to be a trusted institution or individual in an attempt to persuade one to expose personal data and other valuable information.

Another important entity that has escalated the frequency of social engineering attacks at present time is social media. Considering the amount of personal information available on social media, one can only wonder if one is safe from cyber threats. Social media is a great hub of an individual's personal preferences and personal information including name, date of birth, contact details etc. This enables assailants or scammers to design unique techniques to ensure baiting using information that they know the target is passionate about. This information can easily be collected through a user's likes, comments, the pages one follows, their posts, etc.

Within the context of the ‘Information Age’, everything we publicize or present to the internet has consequences. People must realize how their information can be used and in what way. The fundamental and most prudential way to protect oneself is through awareness. Additionally, companies or organisations could conduct training programs for workers to help them spot a scam. Internet users must enable trusted anti-malware software, use secure connections, and reject requests for help from an unverified source.

(Note: Social Engineering has a different meaning in Sociology)

Editors: V Samyuktha, Evita Vincy