Social engineering (or human hacking) is a confidence trick, designed to gather the information that will allow a hacker to access a computer system to commit fraud or install malicious software. It is an easier way to get information such as access to a computer than actually hacking the system.
There are many ways in which you can be conned into revealing confidential information. All of these techniques are based on ‘bugs in the human hardware’, ie cognitive biases in human decision-making or, in other words, our tendency to accept a person or scenario at face value.
Social engineering techniques
There are thousands of ways a hacker can socially engineer a computer user… the only limit is the hacker’s imagination! Here are a few of the most prevalent of these techniques:
Email from a friend
If a malicious person manages to get someone’s email password, whether, by social engineering or hacking, they have access to that person’s entire contact list. This enables the miscreant to send emails to everyone on that list.
In this scenario, you receive an email from a friend that contains a link or an attachment that you can download. If the email contains a link, you’ll trust the link because it comes from a friend.
So you click on the link and you are infected with malware that enables the perpetrator to collect all your contacts and con them into opening a similar link. At the same time, the malware will play havoc with your machine by installing viruses, worms, key-loggers, a back door, etc.
You will also trust an email that comes from a friend if it contains an attachment but, once you download it, malicious software will be embedded with much the same result as clicking on a link.
The advice is obvious… do not click links or open attachments in an email unless you are expecting to receive them. Read the message carefully. If it does not seem the sort of message your friend would write, as regards language or content, you can be sure it has been sent by a hacker.
You should call your friend to check or send the email back to your friend asking him or her whether they sent it. Also, advise them not to click on the link or open the attachment if it is not their email.
There are several other types of malicious emails you can receive from a friend’s email address.
A fairly common one is an urgent appeal for help. The email from your friend says that he or she is stuck in a foreign country having been robbed and cannot get home without a quick loan. The email will include details of how to send the money, usually a ‘care of’ (c/o) address.
The obvious way to treat this kind of email is either to delete it (if it looks false) or to reply to the sender seeking confirmation by asking a question to which only your friend could know the answer.
Another common malicious email is an appeal for a donation to a charity, with instructions as to how the money can be sent. Again, seek clarification from your friend.
Phishing is a fraudulent technique for obtaining sensitive information such as access codes, bank account numbers, and PINs. A phisher obtains a list of email addresses from somewhere and sends the entire list emails that appear to come from a legitimate bank, credit card company or other financial institution. These emails can take several forms.
The most common is an email asking you to click on a link to confirm or verify certain information (such as your bank or credit card account number and PIN) and threatening dire consequences (such as a suspension of your account) if the information is not provided within a very short time frame. The purpose of the threat is to get you to act before you have time to think.
The website to which you will be taken when you click on the link will look very genuine, a replica of the legitimate website, with all the right logos and content. It may even have a warning about phishing!
Copying the exact format and content of a web page is easy because the source code for any page on the internet can be found in your browser. For example, if you are using Firefox, click on Tools > Web Developer > Page Source or just click Control+U and you’ll see the source code for the page you are on. The source code has to be assessable to your browser to enable it to present the page on your screen.
Of course, if you click on the link and provide your account number and PIN, you can be sure that your account will be cleaned out in a very short time indeed. This sort of scam relies on fear, fear of being cut off and denied access to your account.
Another common type of phishing email is one notifying you that you are a ‘winner’… because your email address won a special internet lottery or you were the millionth person to click on the site or some similar pretext. However, to claim your prize you will have to prove who you are by sending in your full name, address, telephone, and social services or social security number, which naturally allows your identity to be stolen.
These kinds of emails succeed due to greed… people want what is offered and give away their information even if the pretext isn’t believable.
Other phishing emails include messages asking for support. These phishes ask for a donation towards whatever natural disaster, charity or political campaign is currently in the news. You can donate by clicking the link to the website and they’re filling in your credit card number and the amount you wish to donate.
However, as soon as you click OK or Submit, your money goes straight to the rogue’s bank account. This kind of con preys on your natural charitable instincts.
Baiting is another form of social engineering based on the observation that, if you dangle something people want, many will take the bait. The bait can be on the internet or it can be physical bait.
Internet baiting schemes are most often found on sites offering a movie or music file for download. They are also found on social networking sites and websites you find using search engines. The schemes also show up on auction sites and as amazingly great deals on classified-ad sites.
In physical baiting schemes, a CD or USB flash drive is left in a place where it is bound to be found, such as a bathroom, elevator or table. If it’s a disc, it may have a corporate logo and a title suggesting that it contains financial or other confidential information… all designed to peak your curiosity and/or greed, so that you insert it into your computer where the “auto-run” program will take over.
Either way, whether you take the bait on the internet or by inserting a strange disc or flash drive into your machine, you will end up being infected with malicious software that can generate any number of exploits against you and your contacts.
Answers to unasked requests
A favorite trick for a hacker is to choose a company, such as a well-known software company or a bank used by hundreds of thousands of people and send emails to millions of people knowing that some of these people will be customers.
The email will state that the company is responding to your ‘question or request for assistance’. Of course, if you don’t have a question or don’t need help, you will ignore the email. But some recipients will respond because they do have a question or problem. If you are one of them, you will be happy to respond.
But, of course, the hacker will ask you to authenticate yourself by logging in to their system or to give them remote access to your computer so they can fix the problem or tell you the commands to use so you can fix it yourself. Rest assured, if you follow their instructions, you’ll end up with a back-door in your system through which the hacker can enter later at his leisure and do what he likes.
Have you ever received a phone call from the ‘Microsoft Technical Centre’ telling you that your computer is running slowly because of certain problems? It seems that the sole purpose in the life of this seemingly charitable organization is to help people improve the performance of their computers… all without charge.
Having introduced himself and MS Technical Centre, the helpful technician will ask you if you have problems. If you say ‘yes’, he will ask you to type a few simple commands into your computer. If you say ‘no’, he will also ask you to type a few simple commands into your computer so that you can see for yourself the problems you have. Either way, the commands you type will create a back-door the hacker can use later. Social engineering at its most productive!
How can you protect yourself?
There are many ways you can protect yourself from social engineering. The overriding principle, as always on the internet, is CAUTION.
 Think carefully… social engineers want you to act first and think later, so never let their urgency prevent you from making a careful review before you take some action, such as clicking on a link or releasing information.
 Be suspicious of unsolicited emails… if it’s from a company search them on the internet or use a phone directory to see if it, its website or phone number is genuine.
 Don’t send personal information… just delete emails that ask you to confirm personal data. No reputable bank or other financial institution will ever send you an email asking you to confirm your banking details.
 Check website addresses… if you receive an email asking you to click on a link, check the website by using a search engine to find the company’s website and then compare the website address with the address to which the link will send you. Hovering your mouse over a link will show the actual address (aka URL).
 Stifle your curiosity… if you are not sure, don’t click a link… not before you have first checked with the sender and confirmed its authenticity.
 Stifle your greed… be very cautious when going for the freebies and rock-bottom bargains. Why should anyone spend time and money creating something valuable only to give it away free of charge?
 Never use phone numbers in an email… until you have compared them with the phone numbers found in a phone book.
 Don’t download… unless you know someone personally AND you expect a file from them.
 Set your spam filters to ‘high’… you’ll find the spam filters in your email program under the ‘Settings’ option.
 Secure your computer… by installing anti-virus software, firewalls, email filters, etc, and keep them up-to-date.