Social Engineering Attack

Category:

Description

Social Engineering Attack

There are varying definitions of social engineering, which are determined by how an attack may have expressed itself and the experience of the person defining it. The key ingredient in all definitions is the fact that social engineering involves deception. The attacker achieves this by presenting themselves as trustworthy persons. In other instances that may encompass phishing attack, they trick the user using a correspondence that seems non-threatening or for useful purpose when in reality it is meant for accessing sensitive information. Kumar and Kumar (2015) define social engineering as the practice of ricking or manipulating individuals to perform actions that will expose confidential information. The authors point out that the term is used to describe deception or trickery which is carried out with the intention of accomplishing fraud, identity theft, gathering information, or gaining unauthorized access to computer system. Social engineering carried out in the process of interpersonal interaction is facilitated by the existence of direct communication such as the use of a phone. In other cases, the attacks involve contact through electronic means such as the internet, email, or other forms of electronic media.

Schoeman and Irwin define (2012, define social engineering as the practice of accessing sensitive information or system without authorization. For instance, the attacker may have access to passwords by exploiting his relationship and trust with the individuals that have that information. Thus, it is a case where a social engineer gains an advantage by exploiting others based on human psychology. For instance, an attacker may a place a computer’s physical device that is infected by malware in a place where it can be found easily. Eventually, a person will pick and installs it onto his computer. Without knowing, the individual installs the malware. In other cases, attackers have successfully used phishing. Here, a fraudulent email is sent out maliciously. It is usually hard to discover it since it is disguised as an email sent by a trusted source. In most cases, the receiver is tricked to open a link that contains malware, or to share financial information.

According to Gulati (2003), social engineering results in an immense impact on the financial and social well-being of individuals and companies. According to him, information security is vital if any organization is to sustain its business operations. The economic cost that is incurred following an attack is disastrous to both individuals and groups. The author notes that in 2002, companies in the US lost approximately $266. According to Computer Security Institute that is based in San Francisco, the amount doubled the total loses that had been incurred in the previous four years. The development has forced individuals and organizations to seek services of insurers to cover the losses incurred due to security breaches. Additionally, social engineering carries the potential to destroy the reputation and goodwill of both individuals and organizations, resulting in substantial costs (Kumar & Kumar, 2015). For instance, an attacker can obtain crucial credit card information from customers through online vendors. If the affected individuals discover that their data has been accessed illegally, they would prefer not to carry out any more transactions with such a vendor since such an attack would make the site appear insecure. In most cases, social engineering has resulted in lawsuits, which destroy company’s reputation and decrease the number of customers.

PayPal, which is a world-wide company that offers online payment, was affected by social engineering. The company requires its customers to open an account. During this process, individuals give their personal information including their names and addresses. Additionally, their accounts must contain details about their bank accounts and credit cards. This enables them to handle real money, which is usually funds that have been sent or received. PayPal account holders are not required to share their login details with other people since if this information falls into the hands of fraudsters, personal information would be stolen and loss of money incurred. In 2002, however, attackers sent email to all PayPal account holders, asking them to re-enter data on their credit card (Gulati, 2003). Allegedly, one of the company’s computer systems had experienced some trouble, and the process was necessary for verification of this information. Customers could not suspect anything due to the actual appearance of the e-mails. The security lock symbols, typefaces, and PayPal logs used indicated that the emails were honest. However, most of the customers lost all the money in the accounts upon providing the requested information.

To identify solutions that are comprehensive and most effective, factors that contribute to the success of social engineering attacks have to be analyzed. Initially, there was limited knowledge available about attack vector (Alexander, 2016). Remedial actions were also few. Today, however, several technical solutions have been developed for compacting social engineering. Despite this, humans have become the weakest link. An increasing number of individuals are growing more prone to these attacks. According to Alexander, people working for various organizations have been manipulated to release sensitive information. Management solutions would, therefore, form the best solution to the problem. IT departments should be given the responsibility to apply social engineering techniques in carrying out regular penetration tests. The method would place administrators in a better position to identify users that are likely to pose a threat, Moreover; they would quickly recognize those employees that need to receive additional training. Most of the social engineering attacks could also be prevented through securing awareness training.

 

References

Kumar, A., Chaudhary, M., & Kumar, N. (2015). Social engineering threats and awareness: a survey. European Journal of Advances in Engineering and Technology, 2(11), 15-19.

Schoeman, A. H. B., & Irwin, B. V. W. (2012). Social recruiting: a next generation social engineering attack. Journal of Information Warfare, 11(3), 17-24.

Gulati, R. (2003). The threat of social engineering and your defense against it. SANS Reading Room.

Alexander, M. (2016). Methods for understanding and reducing social engineering attacks. SANS Reading Room