Social Engineering impersonates the original user by using Email, SMS and Phone call which known as Phishing, Smishing, and Vishing or shoulder surfing and dumpster diving. Social engineering is the technique that persuades to deceive the victim in order to obtain sensitive and confidential information. Social engineer uses communication skills and tool to make the victim to trust the social engineer and, rather than scanning for vulnerability to exploit. Social engineering usually makes phone calls, send SMS or Email, Instant messaging, and some other communication system available on the internet for persuasion and trick to deceive the victim to get them to trust the social engineer in order to obtain intended and targeted information.
Firstly, attacker build a trust between the primary victim and the social engineer so that whatever actions during communication are trusted. Building trust relationship with the victim may lead to releasing sensitive and confidential information and gaining unauthorized access to information system without detection.
Classification of Social Engineering
Human Based Social Engineering: Human based social engineering is person to person communication initiates by SMS or phone call to obtain intended information. Social engineer can impersonate as an organization’s employee or technical support personnel of the same company; posting as one of current and valid employee of an organization. Social engineer can also carry out attacks on company’s customers by posting as customer service, support or security technician. Shoulder surfing is a criminally technique using to steal confidential information by standing behind and watch over a victim’s shoulder during when the victim logs into the account. Dumpster diving refers to searching in the trash bin to find useful information. Going through victim’s trash can also be helpful, searching in a trash bin to recover written documents, used tapes / CD, expired ID proof or credit card, etc. Using this technique can be helpful to recover and gather some useful information.
Computer Based Social Engineering: Computer based social engineering refers to use of computer and internet services that is not limited Email or Instant messaging for persuasion to deceive the user to release target information. Social engineer may send a spoofed email or fake security issue or notification email stating that ‘We notice unusual action on your account, it is advisable to change your password, click this link to change your password now.’ Similar message usually send by social engineer in order to steal password on clicking the link that direct victim on a page to enter current password then new password. Social engineer can also send the email persuading a victim to download a file which may happen to be a harmful program like virus, worm or Trojan.
Social engineering is an act of exploiting the trust of people, which is not easy to doubt during the communication. Every organization or service provider must have a support or customer service team to seek assistance or report issues, it is important for a computer or service user to verify once or twice by returning or directing communicated issues to technical support in the same organization or the service provider before responding or releasing information. Lack of security concern of individuals has caused many organizations into a huge financial loss.