• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
BW Businessworld

Understanding Social Engineering For Company Safety

A little awareness will save companies from being scammed. Social Engineering fails before your intelligence.

Photo Credit :

The online world can be a curse for any company if not careful. One danger is the unheard term - Social Engineering. Understand it to tackle it well.

Social equals to socialising and engineering to a structured methodology or engineered approach for information. Communication generally means socialising without purpose. In Social Engineering, communication happens with the sole idea of getting information with harmful intent. It influences a company into giving important information used by criminals for any nefarious purpose. Any company knows its repercussions.  

Social Engineering is usually not a negative concept as such as it gathers useful information on an unconscious level. The broader meaning is exactly the opposite. Here criminals take advantage of your trust without letting you know and find a way to get the company’s important information. 

The methods used are interesting. Phishing is cybercrime which uses vectors like emails, social media and so on. In Spear Phishing, the target is a particular part of an organisation, depending on the criminal’s need. Mostly, new employees are targetted here. Whaling targets high profile employees with sensitive information. In Vishing, calls are made in which the attacker masquerades someone important. Baiting, pretexting and scareware are few of the tactics used. 

On individual levels, if someone wants to know your favourite colour to use it for any purpose, it happens on two levels. The first is the indirect generic approach. The victim is asked indirect simple questions for information their favourite food joint or food and everything in between. The main indirect question is then slipped in. The colour question is asked like the preferred coloured dress for wearing on important occasions. The second direct yet subtle approach puts forth general questions and then the direct question is sipped in an unsuspecting subtle way to look normal and harmless. Regular communication in Social Engineering takes place in a slow yet structured process. 

Ignoring Social Engineering can be a costly affair. If a criminal wants to hack into the company account handled by someone higher up, the criminal tries to get the concerned person’s information by socialising. The victim is someone with minimum contact and so personal details will not be available. If a criminal wants to hack any person’s details, socialising would be the first approach. The hacker researches on the person for a point of interest and eventually meets him with details. Social Engineering gathers details without letting the victim know and then use it against them. 

To comprehend Social Engineering attacks in detail, read carefully the Verizon 2019 Data Breach Investigation Report (DBIR). It includes analysis of 41,686 incidences from 86+ countries with around 2000 confirmed reports. Around 33% were attacks that occurred due to failure of companies or human beings. In any kind of business, the prime targets are mainly the C suits – CEO, CFO, COO or CIO. Their chances of getting attacked are higher as their security privileges are of the high level.    

The 2016 Snapchat App data breach saw the payroll of current & former employees get compromised. A small-time attacker used the most simple tactic – trust. He claimed to be the Snapchat CEO and tricked an employee via email into giving the information. This attack compromised 700 employees' information including their Social Security Nos and wage data. This example of trust being used for fooling is called a Business Email Compromise (BEC) attack.

People and motto are interlinked. Anyone with a wish to perform collateral damage on an organisation for whatever purpose can use Social Engineering. It can range from personal enmity against the company or hired hacker to breach into the company's account to get details for the rivals. Here being more aware of these attacks rather than motto is the crucial factor here. 

Social Engineering involves a life cycle called Social Engineering Life Cycle and its short form is IHPE. The first step is I for Investigation. Here the ground for attack is built. Victims are identified for communication and information is gathered for common ground of interest. Attack methods are selected, from verbal or non-verbal communication. Face to face meeting is useless in first-time communication. Next is H for Hook. Hacker uses a hook to trick the victim for gaining footing. He engages the target with a story with common topics of interest. Information is thus gathered. Next is P for Play. The information is used in executing an attack. The last step is E for Exit in which the interaction is closed without arousing suspicion with steps like covering tracks, avoiding suspicion and removing approaches used in attack.

Tackling Social Engineering is important. With companies using technology for everything, chances Social Engineering attacks are higher. And not every attack uses one-to-one communication. They get friendly with the concerned person for information. They can learn corporate language for details. Phone number duplication can fool people. Such attackers also use using social media for organisational information. The methods are countless. 

So, be careful of clicking on any communication like emails or text messages. Email hijacking has become common these days. Attackers send compromised emails from a valid sender that affects your computer. Check with the sender before opening them.   

Have a sense of alertness. Spammers wish you to act first and think later. In case of fishy urgent messages or high-pressure tactics, don’t let this urgency overshadow your carefulness. Research any messages/tactics/websites.

Since Social Engineering techniques are ever developing, keep yourself & others updated regarding the latest scams. Check your inboxes for suspicious emails. Delete them and inform others about them too. Install firewall settings, spam filters and antivirus software. Make your employees recognize the latest threats, security awareness and forms of Social Engineering. Updated backup software would be perfect. Regular training programs are a must for employees on every level. Social Engineering kits help avoid organisations from becoming victims of such attacks.   

Unsolicited communication must be taken off and scrutinised directly or indirectly on the social or digital level. Social Engineering attacks usually happen in this manner. Unwanted and unsolicited messages are always initiated from an unknown sender. You need to know everything right from how the person got the number to the crux of the sent message. 

India is seeing cases of Social Engineering. Earlier, one assumed it as hacking or account being compromised. Most were unaware of being victims of Social Engineering. Thanks to technical advancement, awareness is increasing. The Ministry of Home Affairs has recently made people aware of it by highlighting the term and methods.   

A little awareness will save companies from being scammed. Social Engineering fails before your intelligence.

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.

Tags assigned to this article:
social engineering

Prathamesh Sonsurkar

The author is a cybersecurity expert and an ethical hacker, who works very closely with the Mumbai Police department and founder of WhiteHack OPC

More From The Author >>

Top themes and market attention on: