Social Engineering: Biggest Cyber Security Threat

When you hear of frauds, tricking or duping people of their money by using fake credit cards or breaking into Government websites or one’s private social media sites, you cannot remain unaffected. You may wonder how these people do this when there are so many IT Security tools being used. It is here that one gets to know what ‘Social Engineering’ is.

The term ‘Social Engineering’ to normal person could mean something beneficial, something to do with the ‘social’ aspect of Engineering (like electrical, mechanical or chemical engineering). But it has another meaning which refers to the different methods used to manipulate people to gain access to buildings, systems or share confidential information to commit frauds. The most harmless way of using social engineering is seen in any household - a child getting her way through her father to buy her favorite toy. The same principle of manipulation is applied to different situations with different people.

• Kevin Mitnick the reformed computer criminal who is now a Security consultant states that “The weakest link in the security chain is the human element.” The only purpose of a social engineer is to gain the trust of an individual for crucial information to make a financial gain or steal one’s identity or prepare themselves for a more targeted attack.
• 98% of cyber attacks rely on social engineering. 

With Information Technology spreading its wings over all the aspects of human interaction in the areas of education, banking, shopping, social media, etc., the threat of social engineering too is equally felt. The social engineer tries to build trust and gather information by various means or even develop a relationship, whereby he can exploit it to share or perform actions that could serve his purpose.

The different ways a social engineer tricks people:

• Pretexting is the most commonly and widely used technique wherein a person assumes a false or fake identity to gather personal information.
• Shoulder Surfing is mostly done when someone watches over the shoulder while keying in the password on a laptop/banking transaction/using an ATM card etc.
• Diverting Theft also known as corner game is when the person convinces a courier or transport company that he is actually the intended person to receive the consignment.
• Dumpster Diving is when someone goes through the trash to gain information via bits of paper with passwords/address/e-mail id’s.
• Phishing is an Internet fraud where an e-mail appears to come from a legitimate business—a bank, or credit card company requesting "verification" of personal information and warning of serious consequences if it is not provided.
• Tailgating is when a person gains entry into a physical facility through bluffing or fooling a legitimate person.
• Baiting uses an infected CD or device left unattended at a place to arouse the curiosity of a person to verify the contents on a system, thereby compromising the system.
• Quid pro quo also known as “give and take policy ”is said to be used when the person offers help usually a free gift or technical support in-exchange for personal information.
• Fake Pop-ups are designed programs that appear in between legitimate work, informing the person to re-enter his ID and password to resume work due to network connectivity, thereby capturing personal information.

In summary, the above methods are used to get your personal details which you would never reveal under ordinary circumstances. If companies like Google and media sites like Facebook were not spared by the cyber attacks, less prepared people will only be caught unaware. Being aware of ‘Social Engineering’ not only alerts you about the schemes used by ill-intentioned people but also prepares you to defeat their plans.

As Miguel de Cervantes quotes “Forewarned, forearmed; to be prepared is half the victory.