You often read in newspapers and also hear on news channels about the theft of customer data from banks and telecom organizations. You might wonder what kind of techniques or technical skills the hacker would have used to carry out these attacks. The fact is hackers are using less technology and more social skills to execute them. These attacks popularly known as social engineering are the way to convince people into revealing their secure personal information. Social engineers are skilled people who are able to make an impression on the victim and through them get to know information about customer records, server login information, etc. When they target an organization, they target a person who is part of the organization to get as much information as possible. This may take longer but some social engineers are successful because the victim is not aware of these techniques and easily fall for the social engineer’s techniques.
Social Engineering can be stopped only through promoting awareness. It is not just organizations that are the potential targets, but normal people. This is because we are not aware and are not careful about our personal information as we don’t understand its significance.
It is your responsibility to teach your students about the importance of valuing their personal information and also keeping tabs on how their information is used in the real world as well as online. Awareness is about being prepared to counteract any risk that may affect personal information. Social engineers study the victim and get to understand their strengths and weaknesses. Some students may fear someone who is in authority. So social engineers may pose as someone with authority and compel the victim to follow their instructions. Some social engineers pretend to be representatives of a particular organization, producing an ID card with their personal details on it. They may try to promote a service and talk in a convincing way, gathering information about you as well as your family members. The schemes of social engineers are not predictable. What can be predicted is your evaluation of someone asking for your personal information.
It is not always that social engineers try to get closer to victims to steal their personal information; it can may be that they are using victims to get information about places they are associated with, such as school, company, friends, neighbors, educators, etc.
One way of promoting awareness is conducting workshops in schools with parents and students showcasing a social engineering incident.
These workshops should present the different techniques being used by Social Engineers through computers and in person, and focus on what social engineering victims had to say and the kind of damage it resulted to their family’s reputation and financial status. You could also highlight how a business organization incurred loss of customer information, loss of reputation and had to spend money to restore trust in their business.
Every awareness training course should conclude with an action plan. Hence you should define a protocol which should be followed by the staff, students and parents. Parents can use the same protocol at home. It should provide guidelines for students to limit the amount of personal information shared both online and in the real world. They could use Google to identify how much of their information and family’s information is available online, then take measures to remove it and ensure not to provide such information in the future.
Never share personally identifiable information over a phone, if the callers insist ask for a call back number, inform parents about it. Limit the amount of personally identifiable information they carry physically, and in case of theft, immediately inform parents and register a complaint with the police.
This kind of awareness will help students realize that social engineering is a serious risk and to be serious about how they deal with it.