We all are aware of the breed of threat actors who use their technical expertise to infiltrate a secure network in order to siphon off sensitive information of an organization or a selected user. Countering their malicious advances by employing progressive technologies is the preferred route for most since this breed of threat actors always make news with their criminal exploits. However, there is another breed of threat actors, armed with a different modus of Operandi that exploits one’s weakness that is found in every organization – human psychology. These Threat actors are called Social Engineering Threats.
With the help of everyday technology, these social engineers trick their target and elicit sensitive data from their medium.
Our team at MicroWorld encountered one such incident when they were contacted by an employee of a certain client who questioned the effectiveness of our software when personal integrity was hampered due to the misuse of his virtual identity.
In this social engineering, threat actor was somehow able to download a picture of the victim and used it as a profile picture on a new WhatsApp account which was in no way related to the victim. The perpetrator then sent a message to the victim’s known associates and well-wishers requesting them for monetary assistance since he was caught in a pickle of a situation.
Here the reaction was elicited from the recipients of the fraud message which was sent by the fraudster. Unknowingly, a few Samaritans from the victim’s contact list fell into this trap and transferred the requested amount, thinking that they are aiding someone they know.
The plan was working well until one vigilant person from the recipient list of the fraudulent message actually got in touch with the victim, to not only personally verify the request but to also enquire for his well-being. That is when the incident came to light and the victim denied being in any emergency while further verifying that he was not the source through which the fraudulent message was sent.
Our team of experts would like to once again clearly specify that this is not a software application hack, rather this is a case of social engineering where human psychology is leveraged and used to siphon off money.
Give that such incidents are on a rise, our experts suggest the following prevention steps be observed in order to protect oneself from being manipulated.
- Educate Yourself
If a person is not aware of the type of attack he/she is exposed to then they cannot possibly defend themselves against it. When it comes to social engineering, the two most common pretexts to elicit information are by posing as a known source and or posing as someone who is hired by a trusted source to conduct an audit or a survey. One should always confirm the pretext with another trusted source before giving their information away without a second thought. - Be aware of the information that is being shared
This tip includes all kinds of information being shared across mediums, it can be verbal or even written through mediums like emails and social media. Given social media is turning into a market place for such social engineering attacks, one has to be ever vigilant about what they are sharing and with whom. - Determine which assets hold the most value
When a lot of companies plan for network security, they plan to secure their most valuable asset which could be of great monetary importance. However, what they should do is, see what asset would be valuable from a criminal’s perspective. Organizations need to consider this as they evaluate assets, considering more than just the importance of value to the delivery of service, product or intellectual property. - Policy and Awareness Training
Once it’s determined on which assets are the most alluring to the cybercriminal ecosystem and the pretexts they are likely to use to pursue them, one should write a security policy to protect them and ensure the policy is being followed by everyone. Backing this step with awareness training is the utmost vital. Employees and individuals need a clear set of guidelines on how to respond if such a situation arises. In the absence of such guidelines, people who act according to their own perception which often ends up in giving away information. - Keeping the software updated
Threat actors using social engineering methods to determine whether an individual or organization is running unpatched or outdated software. Staying updated and regular patching can mitigate lots of risks. - Ownership is security
Usually, security programs fail since they are not personal to the employees or individuals. It needs to be understood that, what applies at work also applies at home. One has to understand that criminals don’t understand the boundary between professional and personal life, any kind of information from a compromised system shall be leveraged, irrespective of it being professional or personal. - Where the rubber meets the road
When you are indulging in a conversation with an untrusted source or some unknown person, ensure that they deserve the information that they are asking about. In a lot of cases, sensitive information or monetary aide is requested from potential victims by imposters posing as a trusted source. Consequently, you have to verify and ensure that the information being shared is to the right person and for the right cause. - Questions that don’t fit the pretext
If a person asks for an aide or a question that doesn’t fit their persona, then it should set off alarm bells and the exchange of communication should be done carefully. Additionally, if a sense of urgency is created to urge you to make a decision, then slow things down and ensure that you make the right decision irrespective of what is being said by an untrusted source.
To read more, please check eScan Blog
