Social Engineering - #CyberSecurity

Hello guys welcome back to my article, in this article we will tallk about Social Engineering and how to avoid it.

---before I continue I want to thank first for anyone who has subscribed to my newsletter,?I will try to provide the best material and presentation for cybersecurity learning in my newsletter I hope you guys can enjoy it---

Quoted from the website https://www.cssia.org/ , "Social engineering is a broad range of malicious activities accomplished through psychological manipulation of people into performing actions or divulging confidential information. Social engineering, sometimes called human hacking, is a broad category of different types of attacks."

Social engineering is a manipulative practice carried out by a person or group of people with the aim of manipulating others to reveal sensitive information or perform certain actions. The term may sound familiar to some, but social engineering has become one of the common tactics used by cybercriminals to steal personal data, money, or access password-protected systems.

In social engineering, attackers do not use security techniques such as software or security tools, but instead exploit human weaknesses in terms of trust, dependence, or ignorance. Social engineering practices can take the form of fake phones, phishing emails, or psychological manipulation in social situations.

Therefore, it is important to understand social engineering and how to protect yourself from these types of attacks. Awareness and knowledge of social engineering can help us recognize fraud tactics and improve the security of our data. Therefore, let's explore more about social engineering and how we can protect ourselves from this kind of attack.

Imagine if there is a sandal thief who wants to steal your shoes that are outside the House. However, rather than stealing directly, the shoes thief uses psychological tricks or manipulations to take your shoes without being seen stealing.

For example, the shoes thief wears a work uniform and claims to be a garbage collector. He comes up to you and asks permission to go into the courtyard of your house to pick up the garbage that is there. Since you believe that she is a legitimate garbage picker, you give her permission to enter your yard.

However, when the shoes thief is in your yard, he takes your shoes that are outside the house and runs away without your knowledge. The shoes thief uses psychological tricks or manipulations to gain access to your home and steal your shoes.

The same goes for social engineering. Cybercriminals use psychological tricks or manipulations to obtain your sensitive information or take over access to your system. Therefore, it is important for us to understand social engineering and ways to protect ourselves from this kind of attack.?

The types of social engineering are as follows :

1. Baiting Baits use false promises to entice victims to trap them into traps that stealtheir personal information orinfecttheir systems with malware.
2. Shoulder Surfing Shoulder Surfing is looking over someone's shoulder while they are using a computer and visually capturing logins or passwords or other sensitive information.
3. Pretexting Pretexting is when an attacker builds trust with his victim by posing as a person with an authoritative right to know and asking questions that seem necessary to confirm the victim's identity, but through which they collectimportant personal data.
4. Phishing Phishing is designed to make victims click on links to malicious websites, open attachments containing malware, or disclose sensitive information.
5. Spear Fishing/Whaling Spear phishing is a more targeted version of phishing, in which attackers select specific individuals or companies and then tailor their phishing attacks to their victims to be less conspicuous. Whaling is when the specific target is a high-profile employee such as a CEO or CFO.
6. Scareware and Ransomeware Scareware and ransomware. Scareware is when a victim is tricked into thinking their system is infected with malware and receives a false alarm asking them to install software that is not needed or is malware itself. Ransomware is when a victim is prevented from accessing their system or personal files until they make a ransom payment to regain access.
7. Tailgating Tailgating is when an attacker who does not have proper authorization follows a victim with official credentials through a door or other secure building access pointto a restricted area.
8. Dummy Diving Dumpster diving is a technique used to retrieve information that can be used to carry out attacks against individuals, companies, and corporate computer networks. Seemingly innocent information such as phone lists, calendars or organizational charts thrown in the trash as well as items such as access codes or passwords, can be used to help attackers use social engineering techniques to gain access to companies and corporate computer networks.

And there are many other techniques in doing social engineering to be able to trick the target or prey. By knowing the types we can realize and immediately respond quickly when things like this happen to our environment.

With the explanation of the types of social engineering above, the next will be described with the story of several types of social engineering that have been described.

1. Baiting -- One day, an employee at a tech company named Alex receives an email from someone claiming to be a well-known journalist. The Email contains a request to conduct an interview with Alex about the latest innovations ofthe company where he works. Alex was pleased and honored to receive such a request. He answers emails and gives a time and place to conduct interviews. However, before the meeting took place, the "journalist" sent another email to Alex with a PDF document attachment. The "journalist" said that the document is reference material for the interview, and it is very important for Alex to understand it. Alex, intrigued, opens the attachment and learns that the document is actually a trojan that has paved the way for the "journalist" to access the computer ofthe company where he works. In this story, the" journalist " uses baiting techniques to attract Alex's attention and gain access to a system protected by the company he works for. The "reporter" uses the lure of the interview to get Alex's attention, and then takes advantage of Alex's curiosity to open a document attachmentthatis actually dangerous. This story shows how baiting techniques in social engineering can be done by luring victims using something that attracts attention or utilizing their curiosity to open something dangerous. Therefore, it is very important that we always be careful and check carefully before opening attachments or clicking on suspicious links in emails or messages received.
2. Pretexting -- Anna is a freelancer who just got a big project assignment from her new client. To complete the project, he needs access to the client company'S IT systems to retrieve the necessary data and information. However, problems arise when the client company'S IT systems have strict safeguards and are only accessible to internal employees. Anna tried to contact the client company'S IT department to request access, but she was blocked and asked to submit a formal access request via Company email. In this situation, Anna was forced to use pretexting techniques in social engineering to gain access to the client's company'S IT systems. He made up false excuses that he was an IT employee of the same company as the client and was working on the same project. He gave false information about the names of employees working in the IT department of his company and mentioned some technical details that an IT employee should know. With the false information, Anna manages to convince the client company'S IT employee that she is a legitimate employee of the same company. Finally, he was granted access to the client company'S IT systems and successfully completed his project. In this story, Anna uses pretexting techniques in social engineering by making false excuses and providing false information about her identity and background in order to gain access to the IT systems of client companies. He managed to convince the client company'S IT employee that he was a legitimate employee and was eventually granted access to the client company'S IT systems. This story shows how pretexting techniques in social engineering can be done by making false excuses and providing false information to gain access to sensitive systems or information. Therefore, it is very important that we always exercise caution and check the validity of the identity and requests of people who request access or sensitive information from us.?
3. Scareware and Ransomeware -- Sophie is an avid computer user and always keeps her devices safe. However, one day she received an email from an unknown person saying that a dangerous virus had attacked her computer. The Email asked Sophie to click on the link and download anti-virus software to clean the virus. Sophie, fearing that her computer was infected with a virus, immediately clicked on the link and downloaded the anti-virus software. However, afterthe software was downloaded, Sophie realized that she had been exposed to scareware, a type of malware that shows frightening messages for users to download software or pay a ransom. Sophie panicked and tried to remove the scareware, butinstead she was infected with ransomware. The Ransomware locks allthe files on her computer and asks Sophie to pay a ransom so she can access the files again. Sophie felttrapped and didn't know whatto do. This story shows how scareware and ransomware techniques in social engineering can occur. A computer user who is afraid of viruses believes a fake email saying that his computeris infected with a virus and ends up stuck with downloading fake anti-virus software. After that, he was exposed to scareware and ransomware thatlocked allthe files on his computer and demanded a ransom so that he could access the files again. This story reminds us thatitis very importantto always be careful when receiving emails or messages from someone unknown. Don't be easily lured by scary messages and always make sure thatthe software you download is legitimate and trusted. Never pay a ransom if exposed to ransomware, because it will only amplify criminal actions and does not guarantee we can get ourfiles back.
4. Dumsper Diving?-- Angga is a young man who is very interested in technology and is always curious about everything related to the IT world. One day, he was walking around the office in the city center, when he saw a trash can that was nearthe back door ofthe office. No one noticed the trash, so Angga took the initiative to look atthe contents. In it, he found several documents that were still in print and uncut. Some ofthese are financial statements, contractletters, and employee lists. Angga realizes thatthese documents are very important and must be kept safely. He took the documents to his house and read them one by one. In the financial statements, he found importantinformation about the company's business plan and highly confidential financial data. Afterthat, Angga realized that he had done dumpster diving, a social engineering technique that uses garbage to find sensitive and importantinformation. He realized thatthe company had made a huge mistake by not properly destroying the documents before disposing of them. This story shows how the dumpster diving technique in social engineering can happen. A criminal who wants to find sensitive or confidential information from a company can use the trash bin to search for documents that can still be used. Ifthese documents fall into the wrong hands,then the company can lose trust and even suffer financial losses. This story reminds us to always destroy sensitive orimportant documents properly before throwing them away. Never putimportant documents in the trash or other unsafe places, because it can be a source of information for criminals who wantto commit a crime.
5. Phishing -- In a smalltown,there is a girl named Sarah who is very active in social media. She always posts pictures of herself and her daily activities on herInstagram account. One day, Sarah receives a message from someone claiming to be her old friend, Ben. Ben tells Sarah that he just won a big prize and he can getittoo. However,to claim the prize, Sarah had to fill out some personal information on a specific website. Sarah was very happy to hearthe news and immediately clicked on the link provided by Ben. However, when Sarah arrived atthe website, she feltthat something was notright. The website looks suspicious and there are a lot of annoying ads. Despite this, Sarah still enters her personal information on the site. Afterthat, Sarah was relieved that she managed to claim the prize. However, a few days later, he discovered that his bank account had been drained. Sarah felt very sad and frustrated, butfinally realized that she had become a victim of phishing. The criminal had taken his personal information from the website and used thatinformation to access his bank account. This story reminds us that phishing is one ofthe most common techniques used in social engineering. By manipulating people to provide their personal information, criminals can access sensitive data and take advantage ofthe situation. Therefore, itis importantthat we are always vigilant and not easily fooled by phishing tactics that are constantly evolving and increasingly sophisticated.

Social engineering is the practice of psychological manipulation to obtain confidential information or access to systems or networks carried out by criminals or cybercriminals. Here are some ways to avoid social engineering:

1. Always be careful about providing personal information: do not provide personal information such as yourfull name, date of birth, phone number, email address, or bank or credit card information to people you do not know or suspicious websites.
2. Check senderidentity: always check senderidentity before opening a message or emailthat contains a link or attachment. If you don't know the sender orthe email looks suspicious, don't open or click the link.
3. Identity verification: if you receive a call or message from someone requesting personal information or access to your system, verify theiridentity first. You can contactthe company or organization that claims to call ortextto confirm ifthe requestis true.
4. Update Software: keep software on your device, such as antivirus and operating system up to date to avoid security vulnerabilities that could be exploited by social engineering actors.
5. Learn about Social Engineering: learn how social engineering works and techniques, so you can recognize and avoid the practice. You can search forresources online ortake cybersecurity training. Social engineering is the practice of psychological manipulation to obtain confidential information or access to systems or networks carried out by criminals or cybercriminals.
6. By taking these steps, you can help protect yourself from harmful social engineering efforts and avoid the loss orloss of yourimportant information.

In conclusion, social engineering is a form of cyber attack that exploits human vulnerabilities to gain unauthorized access to sensitive information or systems. It can take many forms, such as phishing, pretexting, baiting, or quid pro quo, and it relies on psychological tactics such as trust, fear, urgency, or curiosity.

To defend against social engineering, individuals and organizations need to be aware of the risks, educate their employees and customers, implement security policies and procedures, and use technical solutions such as spam filters, antivirus software, or intrusion detection systems.

By adopting a multi-layered defense strategy, we can reduce the likelihood and impact of social engineering attacks and protect our digital assets and privacy.

Mini E-book :

1. Versi Bahasa Indonesia :?Unduh disini
2. English Version :?Download here

References :

1. International Journal of Information and Computer Security

2. www.cisco.com

3. www.cssia.org

4. www.lms.onnocenter.or.id

5. www.britannica.com

6. www.ncsc.gov.uk

7. www.isaca.org/

Posted on 2023-03-17

Author : Ichsan Budiman Putra?