Social Engineering: The Attack on Human Brain and Trust

What is Social Engineering?

The best and easiest definition of the term Social Engineering is :

“Social engineering is lying to people to get information.” 

Social engineering is act of manipulating a person to take any action that may or may not be in “target’s” best interest. This may include obtaining information, gaining access, or getting target to take a certain action. It is art of manipulating and misleading people. A phone call with a survey or some quick research on Internet can yield a birthday date or anniversary date, and armed with this information. This information is enough to build a password attack list. Plus, a dozen sites offer detailed records of all sorts of personal information on an individual for a mere INR 100 – INR 3000 or more than this. It doesn’t involve use of technical hacking techniques. Only thing which is compromised is human brain and trust. 

Social Engineering Phases :
There are 7 phases in a total of Social Engineering Attack.

1. Identifying the goal – 
   First phase consists of Attack formulation and in accordance, identifying target necessary to fulfill goal.
2. Information gathering –
   In this phase, social engineers assess and identify potential information sources and begin information gathering and assessment.
3. Preparation –
   In this phase, social engineers analyze information and develop an action plan and methodology to begin approaching the target.
4. Establishing a relationship –
   In this phase, social engineers establish a line of communication and begin to build a relationship.
5. Exploit the relationship –
   In this phase, the target is “prepped”. The exploitation stage uses different methods of misleading to evoke right type of emotions and prime the target to right emotional stage.
6. Debrief –
   In this phase, social engineer returns to victim and maintains desired emotional state. The goal is that the victim will not feel like anything in relationship was odd, and they will not understand that they have been under attack.
7. Goal Satisfaction –
   After a successful social engineering attack, social engineers will exploit information they have gathered. After social engineering attack, the social engineer will either return to the victim for more information or slowly close relationship.

Understanding Social Engineering Attack with Real-world example :
Imagine if you could simply transfer INR 1000 to an investor and see this grow into INR 10,000 without any effort on your behalf? Cyber criminals use basic human emotions of trust and “greed” to convince victims that they really can get something for nothing. A carefully worded baiting email tells victims to provide their bank account information and funds will be transferred the same day.

This is just 1 example, but there are various types of situations and scenarios through which you and your privacy can be compromised within a few seconds.

Emotions used to perform Social Engineering Attack :

1. Fear
2. Greed
3. Curiosity
4. Helpfulness
5. Urgency etc.

How to Stay Protected Against Social Engineering ?

• The most important things you need to be safe from this are education, skepticism, and consistency in training. The education phase consists of understanding different techniques used by social engineers and making sure you give out information online with caution.
• The second matter, skepticism, is about building a state of mind where one can practice smart caution when receiving emails or talking with people online.
• The third thing is most complex to follow through, as to prepare against social engineering attacks, you would need to encounter them in real life as well.
• By using a people-centric approach to security awareness training that uses phishing simulations, engaging and relevant content, and an understanding of human nature – you can stay protected against social engineering attacks.