We live in today’s digital era where technology and cyber security are advancing in the blink of an eye. However, little did we realize that we are now more exposed than ever before. Our personal information can be accessed easily through our social media, or even from internet search engines. Social rather than technical penetration attacks are currently one of the most well-known and successful attacks, and they are so successful that these exploits support most cyber-attacks.
Get Deeper about Social Engineering
Social engineering, according to Conteh & Schmick (2016), is "the design and application of deceptive techniques to deliberately manipulate human targets". In the context of cyber security, it is typically used to persuade victims into disclosing private information or taking actions that violate security protocols, unintentionally infecting systems or disclosing sensitive data. Oxford University Press (2019) also defined social engineering as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.Social engineering, according to Conteh & Schmick (2016), is "the design and application of deceptive techniques to deliberately manipulate human targets". In the context of cyber security, it is typically used to persuade victims into disclosing private information or taking actions that violate security protocols, unintentionally infecting systems or disclosing sensitive data. Oxford University Press (2019) also defined social engineering as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Examining the aforementioned definitions of social engineering, it cannot be denied that social engineering is one of the biggest threats to cybersecurity in today’s digital transformation era. Social engineering attacks can be identified but not prevented (Libicki, 2018). Even though social engineering attacks vary, they all follow a similar pattern and have similar phases. Mouton, Leenen, and Venter(2016) explained the 4 phases of social engineering in their study as follows.
Phase 1: Gather data about the targeted victim. Based on certain criteria, the attacker chooses a victim.
Phase 2: Develop a relationship with the targeted victim. Through direct contact or email communication, the attacker begins to win the victim's trust.
Phase 3: Carry out the attack using the gathered information. The targeted victim is emotionally coerced by the attacker to divulge personal information or make security lapses.
Phase 4: Leave no trace behind. Without leaving any evidence, the attacker leaves.
Samani & McFarland (2015) mention in the “Hacking the Human Operating System: The Role of Social Engineering within Cybersecurity” Report that social engineering is classified into two categories:
1. Hunting
Obtain information from the targeted victims with the least amount of contact. This strategy typically involves just one encounter, with the attacker cutting off communication after gathering information.
2. Farming
Establishing a relationship with the targeted victims and continuing to "milk" that relationship for information over time.
1. Changes in Bank Transfer Rates
Telling the victims about changes in bank transfer rates and ask them to fill out a form of their personal data.
2. Priority Customer Offering
Advertising upgrades to become priority customers with a myriad of promotional seductions.
3. Fake Customer Service Accounts
Creating fake accounts offering assistance to resolve complaints by redirecting to fake websites or asking for personal data.
4. Laku Pandai Agent Offering
Offering to become laku pandai agent without complicated requirements. Laku Pandai is a program that offers banking services and/or other financial services by working with other parties (bank agents) and supported using contemporary facilities to broaden and increase any accesses to financial services. Fraudsters later will ask to transfer some money to get the EDC (Electronic Data Capture) machine.
Why Do People Get Fooled Easily by Social Engineering?
In social engineering, fraudsters use two-ways communications to gain their victims’ trusts. This theory is also stated in Robert Cialdini’s Six Principles of Persuasion (Ferreira, Coventry, & Lenzini, 2015), which foregrounds ways to build influence upon others.
What are the Six Principles of Persuasion?
1. Reciprocity
Reciprocity is particularly dangerous from as it demonstrates how rarely we consider the motivations behind supposedly generous acts – or, if we do, how we stick to our social obligations regardless.
2. Scarcity
This principle explains that people are more likely to want something if they know there is a limited supply. It creates a sense of urgency in people, and they will rush to make their purchase.
3. Authority
This principle explains that experts in their fields can be trusted, especially if they can back up their claims with evidence. Almost every successful phishing campaign employs this technique by posing as a trusted figure.
4. Consistency
This principle takes advantage of people's reluctance to hypocrisy. Fraudsters manipulate victims into a seemingly harmless opinion or act, then uses that logic to force them into a more important position.
5. Liking
This principle explains that people are more likely to agree to something if asked by someone they like. As a result, others are more willing to do them favors without even realizing it.
6. Consensus
In social engineering, consensus is used for criminals to persuade their targets in doing certain act because ‘everyone else is doing it’ rather than based on total conscience and logical reasoning.
2. Initiatives to Prevent Social Engineering
1. Social Engineering Policy
Consists of 4 levels of management guidelines for social engineering prevention (Khidzir, Ahmed & Guan, 2019). Level 1: perform risk management. Level 2: establish the responsibilities and procedures. Level 3: prepare a list of evaluations for preventing social engineering attacks complete with guidelines for how an activity is finished. Level 4: prepare a framework that can be integrated into the system and support digital proof of such attacks.
2. Prevention Protocols
The prevention protocol, known as the co-utile disclosure of private data, could manage information between social network users (Sánchez, Domingo-Ferrer, & Martinez, 2018). The co-utile protocol calculated social network data privacy risks executed before a privacy functionality score. The decentralization of social network interactions, such as a peer-to-peer model, and explicit reciprocity of information disclosure, was used as the co-utile protocol.
Reference:
D. Sánchez, J. Domingo-Ferrer, and S. Martínez, ‘‘Co-utile disclosure of private data in social networks,’’ Inf. Sci., vol. 441, pp. 50–65, 2018.
Libicki, M. Could the issue of DPRK hacking benefit from benign neglect? Georg. J. Int. Aff. 2018, 19, 83–89. [CrossRef]
Hussain, W., Hussain, F. K., Hussain, O. K., & Chang, E. (2016). Provider-Based Optimized Personalized
Viable SLA (OPV-SLA) Framework to Prevent SLA Violation. The Computer Journal, Volume 59, Issue 12, 1 December 2016, Pages 1760–1783, https://doi.org/10.1093/comjnl/bxw026
