Social Engineering based frauds are increasing everyday and there is no stopping them. And who knows…the next victim could be YOU!! So, let us aware ourselves before we become a victim.
So.. What is Social Engineering??
It is the psychological manipulation of people into performing actions or divulging confidential information.
In simpler words, social engineering involves fraudsters or attackers setting traps for targets to gain access to sensitive information. It could be via a phone call, an email or sometimes malicious URLs. But social engineering techniques are not limited to just call, email or URL.
Here is rough representation of a social engineering life cycle.
This is how it happens
The fraudsters exploit the human tendancy to trust. Taking example of call based frauds, this is how it usually goes.
First they do some research on you and collect some data which is available publicly. Perhaps from your social media profiles or some OSINT(Open-source intelligence) tools.
Then they’d call you and would feed you your own data trying to impersonate as a genuine person calling from a genuine company or bank etc. Basically taking you under faith so you would reveal your other confidential information which they require to execute their attack.
And then comes the final step :
Luring the data from the victim who has established trust in the attacker and will happily provide his/her sensitive information such as OTP, PIN, PAN number etc. and then use that information to execute the attack i.e perhaps steal some money from your bank.
Speaking from experience
The other day, I was reading about a scam where the attacker used a call spoofer to steal money from bank account of the victim. The attacker already had some level of access to the victim’s data but because of bank’s security system. The bank asked the user to call on a specific mobile number to approve the transaction for verification purpose. Hence, the attacker was stuck. So, the attacker used a call spoofer to call from that number provided by bank and left several missed calls on the victim’s mobile. The victim had no idea of this and he just called back to that number and inadvertently approved a fraud transaction on his own account unknowingly helping the attacker bypassing bank’s security mechanism.
There are a lot of similar techniques to execute such attacks. Most common of them being phishing, baiting, spamming etc. and there is no real defense to such techniques but to be smart. We’ll discuss these techniques in the upcoming articles.
Fraudsters these days are smart and to protect yourself from being conned, you just have to be smarter.