Social engineering

Introduction:
” 22 bank accounts hacked, ₹5.3 lakh stolen in 48 hours” scream the headlines in a local newspaper (Source: http://www.thehindu.com/news/cities/bangalore/22-bank-accounts-hacked-53-lakh-stolen-in-48-hours/article22538891.ece)
How did it happen? Two customers were duped of nearly 20,000 Rs and 50,000 Rs by a two conmen(or was it one?) who called the customers in the guise of “bank agents”. They were  asked for their bank details and OTP(one time password) The customers readily obliged since the call was from their “bank”. In a short time, they noticed, that their money was fraudulently withdrawn. 
This is the social engineering technique used by hackers and fraudsters.Let us see this in greater detail.

What is social engineering?
Social engineering is the art of convincing a person to part with their personal/financial details by “smooth talking” by taking you into their confidence and making you spill the details. Who doesn’t like a good talk? A good talker will gain your trust and all personal/professional details too!
This “sweet talking” individual will sway the customer to part with their personal/professional details thereby robbing them of money/critical information thus causing monetary and psychological damages.
Social engineering also involves techniques whereby a dubious individual can gain an illegal entry into businesses thereby gaining an illegal access to the data too. All these techniques require careful planning and execution of the attacks which might spread over a period of time. 

There are different ways that a social engineering plot can be implemented:

a. Via Phone:
One popular technique may be related to asking for financial details like the OTP (One time password of a transaction), passwords to financial institutions, credit/debit card details and so on via the phone(as in the above example) (here, we trust the person on the phone when they say they are calling from the “bank”)This is in fact the easiest method to implement social engineering.

b. Online
With most of us spending a majority of out time online, Internet scams are the easiest to commit. One example is the case of phishing emails.  ‘Phishing emails’ send users to a vicious links or website. The same email is forwarded to other contacts in the address book, thereby making it appear genuine and encouraging the other contacts to click the malicious link as well(here, we trust the vicious link from our contact without thinking twice)

c. Tailgating
‘Tailgating’ is a most prominent way to enter a business enclave without proper credentials. Think of it as, an unauthorized individual entering an organization by ‘tailgating’ behind an authorized individual without a badge(here, we trust the person tailgating behind to enter the organization) 
There are plenty of other ways to engineer a such an attack.The weakest link in the Information security domain is always the “human factor“. Inspite of installing the best anti-virus software or the firewall, if a malicious individual decides to “sweet talk” you into buying a software that is infected, you run the risk of infecting your system with a virus. It is the primary reason why social engineering attacks win big time. 

How to prevent social engineering attacks:

1. As stated on most bank websites – “State Bank or any of its representative never sends you email/SMS or calls you over phone to get your personal information,password or one time SMS (high security) password”(Source: https://retail.onlinesbi.com/retail/login.htm) Never give or trust anyone who says they are calling from the bank and give them personal/financial details.
2. Do not click on any links that say “You have won the lottery!”
3. Similarly, do not click on any attachments that ask for help from a foreign country. 
4. For businesses, security awareness training should be made mandatory with all the above rules and regulations reviewed at regular intervals.
5. It is always good to stay alert and wary of your surroundings at all times. 

We saw the concept of social engineering in this post. ‘Social engineering’ techniques will not diminish over time, but they can be reduced by properly educating ourselves.