Social Engineering is the act of deceiving people into gaining access to sensitive data by preying on human psychology. The main difference between social engineering and hacking is that the latter uses software and technical methods to gain access into a building or system to steal information, whereas the former uses social techniques like making friends, playing with emotions, coercing and sometimes blackmailing to steal information.
Online social engineering is on the rise because the majority of people are dependent on the Internet and there is a lack of awareness about it. As educators, you have to understand social engineering first and then make sure you educate your students about it.
Familiarize the students with the different techniques a social engineer might use on them to gain information. Here are a few of them:
Phishing: Each student owns an email id and may have more than one with different online services. Social engineers may already have gained some basic information about them from their surnames. Email addresses can be attained by asking a fellow student. The concern is some students go public with their email id without thinking of the consequences of it falling into the hands of the wrong person. This applies to phone numbers too. A social engineer uses the email address to send an email about the social networking account server getting upgraded and requests certain confidential or personal details for security purposes. Teach students never to share personal information online without authenticating since no online account would ask for personal information for its upgrading process.
Voice Phishing: In this technique the social engineer may call the student posing as the school’s computer administrator asking them to provide the school’s intranet user name and password. Students may believe the identity of the caller and provide the information. The social engineer may get into the school’s system server and gain access to cause damage or other serious harm. In such cases the social engineer may be a disgruntled ex-employee of the school and would want to damage the school’s server to get even with the management.
Advise students to never share user names or passwords with anyone. If someone insists, ask them for a call back number, so that they can check with the educator or the school’s reception before providing access to such information.
Baiting: In this technique the social engineer may intentionally leave a USB or memory card on the ground for a student to find it. The student would might pick it up and plug it into a system giving access to the embedded virus files on the USB that can infect the system, corrupting the data. If it is a Trojan file it can give access to the social engineer to not only view information to misuse it but also to delete it.
Teach students never to plug in any USB device which they find in public places. Help them understand what a virus can do on their system.
Blackmailing: In this technique a social engineer pretends to be a friend of the student online and develops a close friendship with them. The student may start trusting them to share some personal information which is not even known to the family or close friends. The social engineer, after learning such secrets, may blackmail the student for money or to get more information.
Tailgating: In this technique the social engineer will enter the school premises and seek the student’s help by telling that him/her that they are related to a classmate. The student, trusting the social engineer, may take them inside the school’s premises by assuring the security personnel. The social engineer, after entering, may find out where the server room is and also the admin department to steal documents if found unattended which may damage the school’s reputation, or find out where valuable equipment is located for a burglary at a later time.
These are some common techniques used, but there may be many new schemes and techniques devised by social engineers now. Keep updating and educating the students based on current practices and guidelines.