Social engineering is a psychological manipulation technique used for fraud purposes. It exploits psychological, social or organizational weaknesses in order to obtain sensitive information unfairly. Thanks to their charisma, imposture and nerve, hackers deceive and abuse the trust of people they attack. This is often the first step in a large-scale attack to break into a company for malicious purposes.
SOCIAL ENGINEERING MEANING
A travel companion or business associate may ask indiscreet questions about the organization. In a relaxed environment, we may be more inclined to discuss sensitive topics. Sometimes a phone call to an employee can elicit a good deal of information. Social engineering uses socio-professional relationships to collect confidential information.
Attackers can learn the names of executives through public sources such as web pages, newsletters, and company brochures. Attackers can say something like, “I’m gathering some information for so-and so,” using the name of a high-level executive. This might be enough to get the employee to give out information.
Attackers may make a phone call to the IT department and ask something like, “I can’t remember my Password. Can you help me log in?” Such an inquiry may convince an uneducated help desk technician to change the password and give it to attackers. It’s also possible for an unsuspecting employee to give up his or her own username and password, allowing attackers to log on with that employee’s account.
TYPES OF SOCIAL ENGINEERING
The following sections identify some common social engineering tactics:
- TAILGATING SOCIAL ENGINEERING
Tailgating (or piggybacking) occurs when someone passes through a controlled entry without providing credentials by following closely behind someone who has provided credentials. As an example, some organizations issue proximity badges to users. Employees swipe their badge in front of a proximity badge reader and it unlocks a door
- IMPERSONATION
Another social engineering tactic is impersonation, where the social engineer impersonates someone. Impersonation can be over the phone, such as by invoking the name of someone in authority. It can also be in person, such as impersonating a technician.
- SKIMMING
Skimming is the process of capturing information from credit cards at point-of-sale (POS) readers, gas pumps, and automated teller machines (ATMs). The attacker typically places a thin filament-based plastic, called a skimming film, into a card reader. When the victim inserts their credit card or debit card into the reader, the skimmer captures the data on the credit card or sometimes withdraws money from the debit account.
- DUMPSTER DIVING
Many attackers gain information by sifting through someone else’s trash, a practice commonly known as dumpster diving. Dumpster diving can provide significant returns depending on how much information an organization or an individual throws away.
- SHOULDER SURFING
Shoulder surfing is the practice of looking over someone’s shoulder to gain information. For example, an attacker may try to watch someone enter a username and password to learn the user’s credentials, or watch someone enter the numbers for a cipher lock on a door, a PIN for a badge, or even a PIN for a debit card.
SOCIAL ENGINEERING ATTACKS
Attackers are taking advantage of the popularity of social networks such as Facebook, Twitter, and YouTube to launch social engineering attacks. Attackers craft e-mails that look exactly like they came from the social network site and send them out to users.
You can find here ten of the most famous social engineering attacks of recent years.
HOW TO PROTECT YOURSELF FROM SOCIAL ENGINEERING?
Some solutions can be used to protect yourself:
- On the phone, always check the identity of the person you are speaking to
- Be discreet when having conversations outside the organization
- Do not communicate any confidential professional information in your personal environment
- Never answer suspicious e-mails
- Do not disclose confidential information on social networks
- Check the classification level that your interlocutor is authorized to receive