What is Social Engineering?
Manipulation, persuasion, nudging and influence are all terms we have heard before. Most of these terms evoke a dark mood, even in security circles. Many of us will recognize that these terms often relate to the human element of security but oddly are not security terms themselves; there is nothing technological about them. Collectively these terms (in the context of security) describe what most people consider to Social Engineering.
In a broad definition, social engineering is the human psychological manipulation to divulge sensitive info or perform desired actions, either with or without technology. In essence, it looks like this:
Social Engineering = Psychology + Tech + Decent Acting + Human Error
As much as damage as phishing does on its own, the biggest problem is not the technology utilized but regular, old human error. When done correctly, you wouldn’t think the Target Representative explaining your credit got hacked and needs your information to verify your account would be a social engineer. If the person sounds legit, chances are you might give the information she needs to really hack into your bank account, especially when certain events occur. Although there are many factors involved in the given example, the key element would be the trust the engineer instilled to access the necessary materials. Trust is something that comes easy in certain cultures whereas it is more difficult to gain in others. For instance, it is harder to trick a Shanghainese in China than an American in USA due to the current trend of Chinese not trusting one another and the Americans being a bit more trustworthy to a legit sounding voice.
Types of Social Engineering
SMShing (short of SMS phishing) is an emerging security threat. It is a technique that uses mobile phone text messages (SMS) to trick victims into taking an immediate action.
People sometimes tend to be more inclined to trust a text message than an email. People are aware of the security risks involved with clicking on links in email, but this is less true when it comes to text messages.
Smishing is particularly attractive to attackers since it’s a low-cost attack. A VOIP server, a burner cell phone and a spoofing method are all that is required to send targeted text messages. With applications such as BurnerApp and SpoofCard, it is easy and cheap to purchase a spoofed number to text from.
What are the risks for smishing?
Smishing can lead to visiting a malicious website or calling a fraudulent phone number. The most common risk is downloading a Trojan horse (malware). Such a Trojan horse can turn the device into a zombie, allowing it to be controlled by hackers. Zombie devices are part of botnets, which are used to launch denial of service attacks, sending spam, …etc.
How to protect yourself from Smishing?
- Don’t click on links you get on your phone unless you know the person they are coming from. Even if you get a text message with a link from a friend, consider verifying it first with the sender before clicking on the link.
- Never install apps from text messages. Always use official app store for installing apps. They have vigorous testing procedures in place to filter out malwares and other known threats.
- Never give away any personal or financial information. If possible, block the suspicious number as well.
- Don’t feel pressured into responding back to a message or call. Legitimate organizations give you the time to react. Only call valid numbers (e.g., the bank’s number can be found on the back of your card).
In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe.
Vishing is a combination of the word “voice” and the word “phishing”. It refers to phishing scams done over the phone. Individuals are tricked into revealing critical financial or personal information. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology.
Commonly considered techniques:
- Skilled scammers/hackers have everything in place to sound legitimate:
- Right information: they already have your name, address, phone number and bank details. In fact, all the information you would expect a genuine caller to have.
- Urgency: You are made to believe your money is in danger and that you have to act quickly. Fear often leads people into acting without thinking.
- Phone skills: The phone number appears as if it’s coming from somewhere else (i.e. spoofing). So, you pick up the phone already believing the caller as the number seems convincing.
- Business atmosphere: You hear a lot of background noise so it sounds like a call center rather than a guy in a basement. The scammers either do have a call center, or are playing sound effects.
- If the victim falls for the scam and provides personal information, he or she mostly ends up becoming a victim of identity theft.
How and why is it so easy?
Vishing attacks are hard to trace, because they ‘mostly’ use VoIP (Voice over Internet Protocol), which means they start and end a call on a computer that can be located anywhere in the world.
And how does your telecommunications company or bank come up on your caller ID when it is actually a number from an attacker? They “spoof” it. There are services out there, like Spoofcard, Burner (free mobile app), .. that allow you to “spoof” your number so that whoever you’re calling doesn’t know that it’s you. You can display any number you want. This allows vishing attacks to look perfectly legitimate on a person’s Caller ID. Spoofing numbers is sometimes legal (fighting against spam, privacy, etc) and sometimes not (online fraud, ..etc) — depending on regional laws and regulations.
How to protect yourself from Vishing?
- Never call the number given to you or displayed on your Caller ID (unless it’s a number from a friend, relative, etc.). Take the time to look up the legitimate number and then call it.
- Never give out any personal information — to anyone! This actually goes for any type of request for personal information. Just FYI: Legitimate companies do not ask for your social security number, national ID numbers, credit card numbers OR PIN’s via phone.
Hang up if you get a suspicious call. Before calling back the legitime number of the company, do a bit of research on internet. Most probably other victims will already have published information about it.