Social engineering attacks: How cybercriminals play with human emotions

Cybersecurity is undoubtedly an interesting industry. No matter how protected one keeps themselves from cybercriminals, the latter comes up with new and inventive methods to harm the former. One such technique is being increasingly used by abominable elements is to psychologically manipulate victims in order to gain access to their private details. This technique, known as social engineering, can render even the best cybersecurity measures useless, as the method gains the victims' trust and willingness to share private information. In an interview with Dataquest, Venkat Krishnapur, vice-president of engineering and managing director, McAfee India, talks about social engineering, tactics deployed by fraudsters to carry out the same, and tips on how users can secure themselves.

What is social engineering and what is the process used to do the same?

Social Engineering in the context of information security is the intentional application of fraudulent techniques, aimed at psychologically manipulating users into sharing information or performing actions that can potentially harm their lives and digital assets. This can happen over the phone, email and even in-person.

Cybercrooks play with human emotions such as fear, sympathy, curiosity, and greed to trick people into clicking on malware-ridden bogus links, malicious pop-up advertisements or using physical media such as flash drives to gain access to confidential information.

How can one identify a social engineering scam and who are the prime targets?

Most social engineering attacks offer incentives that are too good to be true. Right from congratulatory messages about winning a million-dollar lottery to charity grant for a calamity-stricken community, scammers are quick to latch on to such cleverly crafted stimuli to obtain their victim’s sensitive information such as addresses, contact details, bank details and so on.

Lookalike websites with URLs that have been cleverly crafted with minor changes are another way of getting innocent users to click on links that are malicious. Incorrect grammar and typos are the most common indicators of potential malicious activities on that webpage.

Tele callers who create an insane sense of urgency, overly eager to acquire your card details or apply unusually high pressure are most likely to be scammers. Be suspicious of untimely and unsolicited calls. Phishing emails or messages usually carry conventional social engineering phrases such as “photos sent,” “payment,” “please confirm” to generate curiosity among their victims. Anything “Free” or with words such as “Reward” are common ways to grab someone’s attention and redirect victims to bad links.

Social engineering attacks are not only targeted at a common internet user or a social network user who may be unaware of phishing, high-level employees including the C-suite regardless of the sector are becoming the latest targets to carry out spear-phishing. We are also witnessing targeted email attacks on SMBs as often security takes a backseat in their enterprise strategy owing to restricted budgets. Essentially, if you have an internet connection and using online services that require you to input sensitive information, you are a potential target.

What are the popular tactics deployed by fraudsters to carry out social engineering attacks?

Social engineering attacks come in different forms and can be accomplished wherever human interaction is involved. As stated earlier, they can happen online, over the phone, or in person.

Phishing is a subset of a social engineering strategy where a malicious party sends fraudulent communication disguised as an authentic source. Intended to mislead the recipient into divulging sensitive information, this email carries malicious links which if clicked on, will install malware into the user’s device. Additional techniques include spear phishing, tailored for a specific individual or organization and vishing, also known as voice phishing - the use of social engineering over the phone, to acquire financial or personal data from the target.

A honey trap is another popular method in which the attacker pretends to be an attractive person online, fakes an online relationship and gathers sensitive information in the process. Another common tactic deployed is using attachments in emails from people known to the victim. Malware is used to attack users’ address book and send emails with the attacker’s file attached to all their contacts.

On an enterprise level, these techniques allow attackers to pose as malicious insiders to infiltrate multiple organization systems and extract sensitive data. Eventually, social engineering could lead to organization compromise, wherein classified information such as emails, client data, credentials, source code, could be stolen by cybercriminals.

Techniques to counter and prevent social engineering attacks

Social engineering continues to be a tool that cybercriminals exploit because it is successful and traditional security defences fail to detect them and is so much easier than cracking software or hardware related vulnerabilities. This is a simple exploitation of the vulnerabilities of the human mind. They do this by playing on people’s emotions and relying on the fact that many are not aware of the value of the information they possess and are negligent about protecting it.

In order to counter these: -

Avoid opening emails and attachments, clicking on links from suspicious sources and responding to requests for sensitive or private information, even if they appear to come from a trusted source. Financial institutions, and most trusted websites do not send emails or text messages asking for username and password information. Hover your mouse over the link of the webpage to know its destination address.

Use two-factor authentication to enhance your level of security.

• Use security software as you need tools to help identify malicious behaviours online.
• Ensure you install all software updates regularly. Technical defences will help reduce the occurrence of social engineering attacks.
• Security awareness training also goes a long way towards preventing social engineering attacks. If people recognize the various forms social engineering attacks can take, they are less likely to become victims.

Eventually, socially engineered attacks rely on the victim being naive, gullible, and typically uninformed. Adopting a healthy sense of skepticism, a tendency to be protective of personal information, and a knowledge of preventative measures can go a long way towards ensuring the security of digital assets. Most importantly Stop, Think and Connect – Do not blindly click on e-mails or links. Between using the right set of tools (machine) and common sense (mind), you will go a long way in staying safe and enjoying all the benefits that come from being online.