An intro to Social Engineering Attacks

Photo by Priscilla Du Preez on Unsplash

Ever since India went under lock down, news articles about people being duped of money online started appearing frequently in the news. Here are some of them:

Ordering pizza online goes wrong as businessman loses Rs 65,000 to cyber fraudster

Retired judge trying to sell furniture online duped of ₹90K in Pune

Mumbai doctor duped of Rs 1.43 lakh while buying wine online

Bhopal: Three duped in e-fraud

Well the common point between all of them seems to be the fact that they were all carried out online and yes most of them on websites that looked authentic and sometimes the user was promised something in return. All of these are social engineering attacks.

According to Wikipedia, “Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information”. In simpler words Social Engineering is the act of manipulating someone to gain access to confidential/private information usually done by gaining a person’s trust and then gaining the required information from him/her. So someone gaining your trust by using an authenticate looking website or maybe one of your online friends jokingly trying to get your password are all part of social engineering.

Now that we have an idea about Social Engineering, Let’s take a look at some of the social engineering attacks

Baiting:

Example of Clickbait ads, Source: Wikipedia

Here the attacker uses a false promise to lure a victim into a trap to gain economic benefits or to gain some personal information. The attacker might use this technique for spreading malware too. This also includes the clickbait ads that you usually see all over the internet.

Phishing:

Image by Tumisu from Pixabay

Phishing is when the attacker pretends to be a trustworthy entity. The attacker might host a copy of a trustworthy website with minor faults or he might send the user authentic looking emails. These attacks are done for economical benefits or to gain personal information about the user.

An example of this was the once famous social media message which said “Spin the wheel to get free gift/money/discount on product”. The link attached with this would take you a website that looked authentic or similar to famous E-commerce sites but with minor faults in either the name or logos.

Smishing:

Example of a fake SMS, source: DataQuest India

In smishing the attacker uses the means of SMS/text messages to lure the victim into sharing personal/economic details. This type of attacks generally consist of text messages where the victim is offered some prize for which the user has to enter his credentials on a website or maybe call a number.

Vishing:

Photo by Jim Reardan on Unsplash

Vishing is similar to Phishing except, the attacker uses a phone call to lure the user into sharing personal/economic details. The attacker usually pretends to be from a trustworthy company’s customer service who is here to help you or in some cases the attacker offers the user with an amazing offer/prize that the user can claim by sharing some details or paying some money.

Scareware:

Example of a fake security alert, Source: StackExchange

Scareware involves displaying false warnings and fictitious threats to the user thus making the user believe that his system is infected with some malware and then the attacker might offer the user to install some software or in some cases the attacker might act as a customer service employee and install malicious programs on the user’s device using a remote access software. This is usually done to gain personal information from the user’s device or for gaining economical information about the user.

These attacks could be prevented by following some of the following steps:

  • Be careful of tempting offers
  • Install and update an antivirus software on your device
  • Backup your data regularly
  • Limit the amount of personal information you enter on social media or give away to strangers
  • Avoid plugging unknown drives to your computer
  • Use two-factor/multi-factor authentication
  • Regularly update your passwords
  • Never Disclose passwords or one time passwords to strangers
  • Never open email attachments from suspicious sources

Fun fact: Recently Kerala became the first Indian state to get a cybercrime investigation division, Source: New Indian Express

Recently we can observe a rise in users taking privacy seriously, be it shifting to a secure communication app or users using privacy focused browsers like Brave and search engines like Duck Duck Go. Still social engineering attacks are on the rise as these attacks are dependent on how alert the user is.

A Developer trying to write blogs