Social engineering is the art of manipulating or deceiving people to give out confidential information in order to gain control over your computer system. The hacker’s goal is to deceive unsuspecting victims into sharing their personal data, opening links to infected websites, or unknowingly allowing hackers to install malicious software on their computers. Let us try to understand the concept of social engineering attacks through some examples.
Examples of Social Engineering Attack
A social engineer may pretend to be an employee, a valid user, or a VIP by faking an identification card or simply by convincing employees of his position in the company. Such an attacker can gain physical access to restricted areas, thus providing further opportunities for attacks.
An attacker may befriend company personnel and establish a good relationship with them over a period of time. This relationship can be established online through social networks and chat rooms, offline at a coffee table, on a playground, or through any other means. The attacker takes the office personnel in confidence and finally digs out the required sensitive information without giving a clue.
You must have noticed old company documents being thrown into dustbins as garbage. These documents might contain sensitive information such as names, phone numbers, account numbers, social security numbers, addresses, etc. Many companies still use carbon paper in their fax machines, and once the roll is over, its carbon goes into the dustbin, which may have traces of sensitive data. Although it sounds improbable, attackers can easily retrieve information from the company’s dumpsters by pilfering through the garbage.
In most cases, an attacker might be around you and can do shoulder surfing while you are typing sensitive information like user ID and password, account PIN, etc.
A phishing attack is computer-based social engineering, where an attacker crafts an email that appears legitimate. Such emails have the same look and feel as those received from the original site, but they might contain links to fake websites. If you are not smart enough, then you will type in your user ID and password and try to login which will result in failure, and by that time, the attacker will have your ID and password to attack your original account.
- You should enforce a good security policy in your organization and conduct the required training to make all the employees aware of the possible social engineering attacks and their consequences.
- Document shredding should be a mandatory activity in your company.
- Make sure any links that you receive in your email are coming from authentic sources and that they point to the correct websites. Otherwise, you might end up as a victim of phishing.
- Be professional and never share your ID and password with anybody else in any case.