The acquisition of sensitive information by an outsider through social and psychological manipulation of others to divulge information that is typically delicate in nature, such as access data and passwords, is referred to as social engineering. Social engineers can obtain information from a corporation by establishing trust with the employee or posing as someone willing to assist. They are a type of internet scam that takes advantage of the victim's gullibility, naiveté, and lack of technological skill (Security through education, 2017).
Social engineering is utilized in a variety of situations involving psychological manipulation and vulnerability. The various manifestations of social engineering are phishing, pretexting, tailgating, quid pro quo and baiting are some of the common attacks social engineers use. At this point, it is key to note that according to the definition, social engineering can be done in a face to face meeting as well. However, the procedure and intent are often the same and for purposes of this paper, we shall focus on the online forms of the practice since that is where the prevalence is (Hadnagy & Wilson, 2010).
Phishing attempts involve the sending of an email, message or comment which appears to be legitimate and from reliable sources. For example, the e-mail could come from PayPal including the PayPal logo. This is often convincing for naïve e-mail readers and can fool technicians at the first glance. The reader would then give whatever information “PayPal” asked for including private information and passwords and click on links given which may contain malware.
Pretexting is whereby a person may pretend to be somebody else in order to access information. The social engineer manufactures a scenario or crisis that is likely to compel the individual to believe they are who they say they are. For example, a person on the phone who pretends to be a Microsoft representative may explain to you how yours computer command prompt window is unable to span horizontally across the screen. After which he may ask for your details in order to improve customer experience.
Baiting schemes refer to attackers using a bait which could be a USB flash drive that he or she leaves it somewhere intentionally. If the finder loads it on the computer, it may install malware unknowingly.
How to Protect Yourself from Social Engineering Attacks.
There are several ways through which people, companies, and businesses could protect themselves from social engineers. These are discussed in the subsequent paragraphs.
Avoiding unsolicited emails and phone calls. It is important that an individual does not bother reading unsolicited e-mails and even less clicking on links from unverified e-mails. No information should be given to the solicitors, especially private information. Companies should classify information and create firewalls that prevent the dissemination of various phrases, passcodes, and data from the organization.
Being rigid and slowing down to reply to urgent messages. The attackers create an urgency to the message for you to convey the information needed urgently without looking at several factors, risks or being suspicious about the attacker's scam. When there is a rushed scenario, disconnect the phone or cancel the e-mail (Mitnick & Simon, 2003).
IT departments should often conduct penetration tests to see which areas are at a high risk of social engineering. Security awareness training could also help and enlighten the employees on scams used by the social engineers. This would reduce the attacks and employees would be less likely to become victims of such attacks. Additionally, use of commercial or custom spam blockers and phishing blockers in e-mails and antiviruses can help mitigate the case.
Impacts of Social Engineering on the Individual and Society.
Social engineering has both positive and negative impacts on the society, however, they are largely negative. Some businesses use social engineering tactics to get information from consumers that help them market effectively. This information would positively impact the businesses while competing with each other effectively and the society at large. On the negative part, social engineering can result in turmoil when high-ranking officials in large businesses or government get involved. Sensitive data leaked can compromise large databases that can result in loss of money and jobs. Additionally, social engineering creates fear in the society and fosters a sense of paranoia. People are less willing to help strangers. Methods such as pretexting and phishing can tarnish the names and reputations of the business that are impersonated and subsequently result in expensive image restoration campaigns. Last but not least, there is the positive element where these attacks have pushed software developers to come up with secure software and fro the website vendors to boost their security. This is a positive aspect since it gives the consumers a secure browsing experience.
Conclusion
Social engineering is a concept that often has negative connotations. However, it has helped boost the security of the internet and various software. As much as it is negative, it has had some positive impacts and can be used positively. As a matter of fact, the government can employ this to obtain relevant information from a criminal or cyber terrorist as long as they have the relevant court orders and inside information.
References
Hadnagy, C., & Wilson, p. (2010). Social engineering: The art of human hacking. Wiley: Wiley; 1 edition.
Mitnick, K. D., & Simon, W. L. (2003). The art of deception: Controlling the human element of security. Wiley: Wiley; 1 edition.
Security through education. (2017, February 23). The social engineering framework. Retrieved from social-engineer.org: http://www.social-engineer.org/framework/influencing-others/pretexting/
