Awareness on Social Engineering for General Public

Introduction

Today, with advanced technology, there has been an increase in the number of cyber threats. Social engineering has become one of the most common practices for attackers nowadays to target the general public, attackers take advantage of lack of awareness among people about the evolving cyber threats. Attackers use various mechanisms to conduct social engineering, including but not limited to SMS, phone calls, emails. Phishing is one of the methods of how social engineering attacks are carried out.

In past few years, Phishing and social engineering were commonly used to take advantage of lack of cyber awareness in people which made attacker`s job easy to get access to those details or information which he or she may not get access directly to or have to use some technical ways such as through malicious links or apps. At present, as there is quite much awareness about cyber security among people so, there are emerging sophisticated attack techniques too. Phishing and social engineering attacks when targeted on the general public, are mostly used for financial gains such as capturing banking credentials or sensitive information such as credit card numbers, PIN (personal identification numbers), OTPs (one-time passwords), etc.

Types of Phishing attacks and how to identify them

Based on the mechanism used by attackers, there are various types of phishing attacks:

• Vishing: It is also known as voice phishing or Voice over IP(VoIP) phishing. In this type of attack, individuals are tricked into revealing critical financial or personal information. A vishing attack may be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone. Attackers may claim that they are from legitimate organization such as Banks, financial institution, or business partner etc. and can trick the individual giving up the information which is of interest to attacker.
• Smishing: Attacker sends SMS on individual’s  mobile phone, the content of the SMS is shown in such a way that it looks appealing to the user and asks to click on the link provided in SMS. This link is crafted and leads the user to a malicious website which is controlled by the attacker. For example, an SMS received might mention that you have won a lottery worth $XXXX and to claim the amount click below link, or the SMS may show that the sender is interested investing money in your business, wants to send you the amount and asks to confirm by clicking the link given.
• Email phishing: This is similar to Smishing and involves an attacker sending an email showing the urgency and trick the user in clicking links mentioned in the email, or opening the attachments which is a piece of malicious code and able to take control of the user device, or replying with some information. For example, emails may look like sent by legitimate or known person and can insist the user follow the mentioned instructions, and if no action taken by the user then they might lose the gift, amount, account access, or the service.

There are several other types of Phishing attacks such as “Spear phishing” in which attacker targets a group of employees from a certain organization, “Whaling” in which the company senior executives are targeted. “Angler phishing” is a relatively new type of phishing in which the attacker targets users through social media. Fake websites, posts, tweets, instant messages, etc. are the tactics used by the attacker.

Some ways through which people can take precautionary measures and avoid falling prey to phishing attack

User awareness plays a very big role in identifying or combating such attacks and can help prevent it to a greater extent. If one comes across any of the types of phishing, they should be able to identify it and act accordingly.

For example- if someone calls and asks you to provide your sensitive information such as pin, passwords etc., informing you that your password is expired and insisting you change it while being on call and claiming that they are from the help desk or any customer support. They might send links over SMS or email asking you to complete some transactions or may show urgency that if you do not take action immediately, you will lose access or account will be blocked. Upon receiving such communications, first, check whether that communication was expected by you, and verify the identity of the caller, check the original website for any information, call back the person on legitimate contact number. If turns out to be fake or unexpected communication, add those SMS, senders, or callers to the blocklist, reject list or report it spam.

Utilizing the spam filter policy or feature provided by email vendors can also help to prevent the phishing email going to the user inbox. Mobile network operators also mark such sources as spam for easy identification.

Do not install unnecessary applications on your mobile devices or laptops, verify the source and publishers when installing any application. An application that looks legitimate could be a Trojan (malicious application controlled by the attacker)

Measures for the common citizens to protect themselves from cyber threats daily

People should be aware of their surroundings and be able to identify and make a decision on what is normal and what is not, instead of going with the flow. The most public is not aware of technical aspects of identifying cyber-attacks, however, attacks like phishing and social engineering where an individual is the first target, people should make use of common sense and do not panic or act in a hurry. Banks and other institutions keep sending awareness to their customers about the safety and security tips or measures, those should be taken seriously. Be aware of who is asking what and act responsibly.