Social Engineering, a Cyber Crime Waiting to Happen

By Amine Mekkaoui,

  Filed under: Risk Management and Information Security Blog
  Comments: None

Social engineering is just one of the many threats that we have today, especially with our current environment. With awareness and knowledge about cybercrime tactics, we can always be one step ahead in protecting our personal information and our companies.

More than ever, today, companies communicate with their employees, vendors, and clients through online apps. With this, it is common knowledge that not everyone is technologically sophisticated, and this is where cyber criminals can take advantage and do what they do best which is to find vulnerabilities and a weak link that will get them access to confidential and personal information.

One way to accomplish this is by using a method called “Social Engineering”.

WHAT IS SOCIAL ENGINEERING?

According to the University of Delaware, SOCIAL ENGINEERING is basically influencing another person or manipulating them into handing over personal data or information about a person or a company by pretending to be someone the individual or a company is related to usually through the use of the internet or any gadget, e-mails or even phone calls and texts.

Our social media logs and public records can be stitched together to highlight our profile, including where we live, our phone numbers, email addresses, friends we know, the names of our kids, our parents names, and places we previously lived.

Most users use simple and easy to remember passwords to access critical online applications they use daily.  Additionally, our personal information is readily available on the net.  Our social media logs and public records can be stitched together to highlight our profile, including where we live, our phone numbers, email addresses, friends we know, the names of our kids, our parents names, and places we previously lived.  These information can be used by hackers as a first step to approach their victims to extort access privilege to their bank accounts and/or business/employers applications.

HOW DOES THIS WORK?

With today’s work from home revolution where most transactions happen online, companies are at stake. Social Engineers are all at an advantage especially when companies are not prepared and well protected.

Social engineers are experts at trying to manipulate the person’s ability to trust. Commonly, banks or financial companies are their target since most of the time, money is what they are after. And in order to get it, they need to gather personal information about their clients. 

Social engineers take time to learn the so-called ‘Work Lingo’ in order to fool a client and maintain a legitimate image in giving a personal information which the social engineer then uses to have his personal data in the said agency or company, or in bank cases, his money.

Joan Goodchild, a journalist from California who writes about security and technology, further reiterated in her article entitled ‘ Social Engineering Tricks That Fool Unsuspecting Employees’, that social engineers tend to gain the trust of clients when they pretend as employees of a company. Social engineers take time to learn the so-called ‘Work Lingo’ in order to fool a client and maintain a legitimate image in giving a personal information which the social engineer then uses to have his personal data in the said agency or company, or in bank cases, his money.

Not just clients, but social engineers may also fool other employees pretending as one of them, hacking their way through the company’s domain, learning protocols and routines of the company to get themselves as an insider. They will pretend to ask for help from their ‘fellow employees’ for example as an auditor, or law officer who needs access to private information, and the said employee will unknowingly help them take care of the matter.

Statistically speaking, according to a study by The Radicati Group in 2019, there are about 3.9 billion active email users around the world. It is expected that the figures have already increased in the past months. This is supported by Clement, a known internet and e-commerce researcher, which says that the number of email usage over the past years from 2018-2023 were set to 2-3% increase which may imply the increase of email users to 4.48 billion in 2024. 

These are not mere numbers, in fact these are the number of email users which may be considered to be at risk. Most of them are professionals and employees.

HOW CAN I PREVENT THIS FROM HAPPENING?

If you are the part of a company handling business information:

a.)   Be aware and suspicious of a person calling, and emailing who is claiming to have a business contact with one of your company employees to garner information – this may be done through double checking your client/vendor list to verify the person identity and confirm it with the employee.  An example of this communication would be; “hi, I am John Doe, and I was hired by your CFO Jane Doe, who gave me your contact information to fix a database issue on your accounting application, can you please help me get access so I can take a look”

b.)   Do not provide information about the company you work for, either, unless instructed by your employer. This may commonly happen through calls in call center companies, or those who may pretend to need this through customer service. The company may also enforce strict security to protect and ensure the identity of its employees.

c.)   Be aware of suspicious emails from people who are pretending to have a business relationship as a vendor or a client with your employer using legitimate emails from known companies including banks and credit cards. If you don’t know who’s emailing you, don’t give out any information, unless you verify the sender with your manager.

If the information which may be at risk is yours:

a.)   In many cases, online applications have been offering double authentication features to access your app using information which will be provided by you and you alone.  This could be a code you’ll get via a text  or voice message to a registered phone in your account profile for that application, which you will need to authenticate and get access to your app.

b.)   Be careful of giving out your information, if you are pressured to give information, be suspicious and deny the request unless you can confirm their identity from someone you know and trust.

c.)   Sometimes, even mere phone calls may be used to track down your information, be alert and vigilant in taking these calls or answering text messages requesting your personal information.

Social engineering is just one of the many threats that we have today, especially with our current environment. With awareness and knowledge about cybercrime tactics, we can always be one step ahead in protecting our personal information and our companies.

Do you need more information about this? Let’s chat and talk about the struggles we have in the industry and how we can work together to move forward and survive these struggles.

In our next blog, I will be discussing a new trend among social engineers – typosquatting.  As for now, beware and never be a victim of any online fraud and cybercrime.

Be the first to write a comment.

Your feedback