This article has been written by Anwar Bhikan Shaikh, pursuing a Diploma in Law Firm Practice: Research, Drafting, Briefing and Client Management from LawSikho and edited by Shashwat Kaushik.
It has been published by Rachit Garg.
Introduction
Social engineering attacks are growing day by day in today’s era of technology. Any malicious security threats that happen in the world of the internet with the help of any devices like a PC, laptop, mobile, telephone, etc. are part of social engineering attacks. People with a lack of technological knowledge are mostly the victims of social engineering attacks.
To understand how to prevent social engineering attacks, we first need to understand what a social engineering attack is and what the types of social engineering are. Then we can better understand how to prevent social engineering attacks. Social engineering attacks can be of various types and as time passes, new ways of social engineering attacks are invented by scammers.
What are social engineering attacks
Any malicious or manipulative activity that is done by any outsider or unauthorised person or scammer by breaching security and the scammer gets access to the crucial information of any person. Such information is used to manipulate the data to blackmail another person / business or organisation. These kinds of activities are a threat to businesses and / person in the online world. By getting such access to the information by the scammer, the victim suffers a huge loss, which can be loss of data, theft of money online from bank account, etc.
Every person who has access to the internet shall use the internet wisely so that they do not become the victim of a social engineering attack.
Types of social engineering attacks
Types of social engineering attacks are:
Phishing: This is an attack that is done by the scammer with the help of social media, SMS, email, and hyperlinks. At the latest, sometimes the attacks are done with the help of PDF files. Attackers target their prey and with the help of their tactics and other tricks, they try to fetch confidential data from the victim by breaching the victim’s trust by spoofing a reputable and well known company or person. In such a way, an attacker pretends to be a well known person or company by using the original company’s logo, signature, images, sign or by making similar websites or email IDs. In such cases, the victim, without verifying the email, website, etc., tries to access it and feed the confidential data. Then the attacker takes advantage of it.
Prevention: such phishing attacks can be avoided, and for that, one needs to follow or keep certain things always in mind. Whenever any person falsely claims that they have noticed any suspicious activity or that login attempts are happening, there are high chances of phishing attacks and accordingly, immediate precautionary action shall be taken.
Baiting and quid pro quo attack: Under baiting, the scammer provides useful information to the user or targeted victim. Here, the scammers pretend to help them with some useful information, like software updates or information about their infected USB tool. The Quid Pro Quo Attack is similar to baiting, but in this attack, the scammer promises to perform an activity that will be beneficial to the victim. To gain this beneficial action, the victims are required to perform some task or action
Some examples of baiting and quid pro quo attacks are below:
- The attackers call the firm or company extension and say that they are calling from their IT department and ask the victim if they need any support or have any technical issues, so in such a way they hunt for the prey.
- Sometimes you see some great opportunities online, like offers and deals, and you just need to download some kind of file. Those are also kinds of Quid Pro Quo attacks.
Pretexting: This is a kind of attack where scammers approach the victim with fake identity to influence their target to provide them with sensitive information like Bank details, Login credentials, etc. The scammer here pretends to be an external IT service provider and once the scammer gains the trust of the victim, they can easily get sensitive information from them.
Some signs of pretexting are below:
- You receive a message from the CEO of a particular company or your bank or it can be from anywhere, claiming that this message is from the CEO and we need your personal information immediately. The CEO cannot wait as long as he is in a meeting, so do not hurry in providing any information in such a scenario.
- Scammers may try to build rapport with the victim and gain their trust by asking simple questions like, Are you available now?
- Victims receive a suspicious message from scammers asking for personal details like date of birth, bank account number, credit or debit card number, etc.
Tailgating: This is an attack where attackers behave like an authorised person and follow a legitimate user into the security facility or system by piggybacking on the user access, such as a data centre or the place where all the data is stored in the server room. Hence, once the scammer enters these areas, he gets access to crucial information.
Watering hole attack: In this attack, the attacker hacks a legitimate website and leaves or injects a certain kind of malicious code on those websites. Whenever any individual or specific group of people frequently keep visiting such a website, such as an industry specific forum or news site, which then leads anyone who visits the site to have their computer or other device infected with a virus or malware.
Spear phishing: Spear phishing is a more systematically and very well planned targeted form of phishing that involves gathering information and conducting research on targeted victim, individual or organisation. They gather the information to create highly personalised, fake and convincing emails. For victims, these emails seem like genuine emails coming from their co-worker, manager, or superior and also in the name of the organisation, which makes them more difficult to identify or detect.
Here, we understand what a social engineering attack is and what the different kinds of social engineering attacks are. Now we will see how to avoid social engineering attacks.
Methods to avoid social engineering attacks
Following are some of the methods to avoid social engineering attacks:
Greed: First, don’t be greedy for anything, not only in the real world but also in the online world. Anything means free coupons online, free gifts, bumper offers, etc. This is a common pattern of attack which scammers use; in return, they will ask you to provide some common details like your Date of Birth, Phone Number, Company where you work, etc. Remember, nothing comes for free and there are always some hidden charges that you have to pay sooner or later.
Empathy: Whenever anyone for no reason, offers you some kind of help in your work or tries to be your saviour, don’t accept their offer. In such a scenario, the scammers obtain certain information from you in the name of help and later on, collectively, all the data is put together so that they can achieve their purpose.
Urgency: This is a very common attack where the scammer takes advantage of your real time position or situation where you are not in your workplace or office, such as driving, eating, sleeping, etc. Here, the scammer contacts you and pretends to be anyone whom you trust and they ask for certain important information from you and say that the CEO needs this information and he is in the meeting right now so kindly send such documents or provide the details. It is always better not to respond to anything that comes in a hurry or on an urgent basis. First, verify the case and then help them with whatever information they need if the case is genuine.
Fear: This scam happens when victims are put under fear or pressure by the scammers. The targeted victims are scared in such a way that they take immediate actions in fear without thinking, like if victims have fear of losing money or they are scared that their computer or other devices are infected by a virus. So under such a situation, the victim shall not panic and should not take any action without critical thinking or the help of any known and trustworthy expert.
Keep systems and software up to date: The users shall keep the systems and software of their devices up to date. Timely update the antivirus software and sometimes, if required, also update the devices, like replacing the old PC or laptop, etc., with the new one, which not only has the software upgrade but also the hardware upgrade.
Authenticating and proofing the identity: To prevent the impersonation of legitimate users, there shall be proper verification of users with the help of biometric data, two factor authentication, ID verification, and multi-factor authentication, which helps to prevent attackers from using the stolen credentials.
Following are some of the basic and easy practical steps to prevent social engineering attacks:
- Always be cautious while replying to any message. Verify the authenticity of the message and reply.
- If there is any request for sensitive information like a user ID or password, do not respond until you are sure of its genuineness.
- Secure devices by installing the latest Anti-Virus software, email filters, firewalls, etc., and also keep updating the system from time to time.
- Set your spam filter to a high security level.
- Avoid or reject unsolicited requests for help or offers of help.
Conclusion
The social engineering attack is carried out after the attackers have figured out how to take advantage of the victims’ knowledge. So to prevent such attacks the users shall be updated with regular, updated knowledge related to social engineering attacks and there shall be the use of updated software and hardware on a timely basis.
References
- https://www.indusface.com/blog/10-ways-businesses-can-prevent-social-engineering-attacks/
- https://mdsny.com/5-ways-to-prevent-social-engineering-attacks/
- https://easydmarc.com/blog/how-to-spot-the-top-5-social-engineering-attacks/
- https://www.fraud.com/post/social-engineering-attacks
- https://www.imperva.com/learn/application-security/social-engineering-attac
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.