See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/354849736

SOCIAL ENGINEERING AND ITS IMPORTANCE

Research · October 2021

CITATIONS READS
0 2,034

1 author:

Faisal Ahmed Ghauri

Capitol Technology University
6 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Faisal Ahmed Ghauri on 26 September 2021.

The user has requested enhancement of the downloaded file.

 SOCIAL ENGINEERING AND ITS
IMPORTANCE
Faysal A.Ghauri #1
#
EC-Council University, USA
1 iam@faysalghauri.com
Abstract— Social engineering is a significant threat to
information security. This paper examines how an attack
occurs, who poses a threat, who the targets are, and how the
episodes can be prevented.
The hacker is often portrayed as a young man driven by
curiosity and getting kicked out of manipulating and
stealing information. The social engineer also possesses the
ability to manage people in a way that the traditional
hacker lacks. Many plays on the recipient's compassion,
gratitude, loyalty, or respect for authority to gain trust. As
technological security is strengthened, more people will
likely use people rather than technology to attack. Many
companies use technical solutions to prevent attacks, but it
is often forgotten that technological security is ineffective if
misused by staff. Since the target of the social engineer is
often those who have not been trained in security awareness,
therefore all staff must be prepared.
I. INTRODUCTION & BACKGROUND
There are many threats to information security. These threats
can be Physical, such as theft or sabotage of hardware. Or more
Catastrophic, such as floods and fires. Information security is
also threatened by hackers who want to destroy or gain access
to information that should be inaccessible to them. These
threats are often talked about and known by IT professionals
and ordinary IT users alike. Hardware and software are secured
with authentication to deny unauthorized access to the system.
But what is often overlooked, and perhaps a more significant
threat, is the potential threat posed by employees. [1] Most
damage to information security is caused by employees,
knowingly or unknowingly, directly by the employee or with
the employee as a tool within the organization.
Social engineering is a term used to describe the form of
manipulation increasingly used to gain unauthorized access to
information by manipulating employees or individuals into
giving out passwords and other sensitive data used by the social
engineer to gain access. A typical example is pretending to be
IT support and "secure the system we need your password."[2]
In summary, this work will present the following:
 The approach of an attack
 The attack's occurrence and potential harm
 Profiling the engineer
 Who are the targets of a social engineer?
 Methods to prevent social engineering
Purpose
It is clear that social engineering is a significant threat to
information security, both for businesses and individuals, and
that preventing and thwarting these attacks is of the utmost
importance. Despite a high level of awareness of the threats to
information security, how to prevent them from affecting one's
person or organization, how to achieve security in networks,
wired and wireless, how to secure hardware and software,
physically and logically. One threat is sometimes mentioned as
one of the significant threats to our information security
without being preventable practically and clearly [3]. Therefore,
this thesis will investigate social engineering. I want to examine
the importance of Social Engineering, how these attacks are
carried out, how the engineer chooses who to contact and why.
I want to know how these attacks are best prevented if they can
be stopped completely. In terms of employee training, how do
you train so that everyone understands the risks and the
importance of maintaining information security?
II. LITERATURE REVIEW
Social engineering is a method of stealing important
information from individuals by taking advantage of
psychological gaps or errors in human behavior. Originally a
computer security term, social hacking is the Act of gaining
access to identities and passwords without malware.[4]
Social engineering techniques are becoming more sophisticated
and aim to exploit gaps in user behavior, both digital and actual.
It picks up information without the user's knowledge and uses
it to increase the information needed for an attack. In the digital
space, where smartphones have become an integral part of our
daily lives, users tend to be less security conscious. The misuse
of technology created by technological innovation often leads
to damage.
Attackers use any means to obtain the information they need to
achieve their goals. [5] This can range from fraudulent use of
accounts to commit financial fraud, to impersonating a member
of an organization to disrupt the organizational structure, to
using the information they have obtained to make threats. The
threat of social engineering has been increasing steadily over
the years.

Figure 1: Social Engineering Attacks Categories
The reality is that social engineering techniques are very
diverse and are used in a variety of combinations. They are
applied in a very clever and resourceful way to increase their
accuracy.[6] This section will broadly categorize the various
methods of social engineering that have been identified so far
and explain the unique techniques for each category.
Various Methods of Social Engineering
Internal Intrusion
It is too early to conclude that access is safe because it is
restricted by ID cards or fingerprint recognition. For example,
criminals could use a found or forged ID card, hide behind an
employee, or impersonate a cleaner or collector. Criminals who
enter this way will steal the information they need to achieve
their goals and take money or other assets. [7]
Spoofing
Fictitious billing and bank transfer scams, where a person
pretends to be someone else to obtain information or money,
are typical examples of social engineering. For example, a
person might pretend to be a business partner or a boss and ask
for login details over the phone or pretend to be a system
administrator or contract provider. [8] They may even claim to
be the police and ask for personal information.
Baiting
As the name indicates, the attacker uses his natural curiosity to
explore further by using free or exclusive offers to manipulate
the individual. Malware is usually sent to the target user by an
attacker. The distribution of infected equipment, such as
leaving USB in public places, including libraries or parking
areas, is one of the baiting methods. Another way is to send e-
mails with free content details. [9]
Figure 2: Types of Manipulation
Scareware
It's a type of malware that an attacker uses to scare users via
alarming messages, pop-ups that say you own a virus or your
account is compromised. This leads to cyber security software
that compromises the personal information of the user to buy or
download free of charge. [10]
Peeping Toms (Shoulder Hacking)
There is also a long-standing practice of a third party posing as
a member of the company to look at your computer screen
while working on your laptop in a public place such as a café,
either from behind your shoulder or when you leave your seat.
[11]
Trashing
Trashing is a technique of stolen information by use of bins.
Typical waste instances include obtaining client data from
printed materials, private papers, outdated business cards, and
binding notes with IDs and passwords tossed in the rubbish bin.
Another option is to rob storage media (for example, hard
drives, DVDs) from the garbage containers and take stored
information. [12].
Impersonation
It is the practice of impersonating another person to extract or
change information. Examples of identity theft include
1. Impersonating the System Administrator and Deceiving
the User.
In this case, the user does not suspect the system administrator
because the system administrator can manage the user's
password and is trusted as an expert of the system. [13] A
similar situation can be seen in the relationship between user
support and users of Internet service providers.
2. Impersonate a User to Fool the System Administrator
However, System administrators have a relatively high level of
security awareness and are not easy to deceive. [14] Some
examples are as follows:
Impersonate a Novice User
As an expert administrator pretending to be a novice user, there
is no more difficult job than teaching. The trick is to take
advantage of this and pretend to be a novice user and say, "I'm
having trouble logging in" or something similar to that effect,
to make the administrator think that it's just a temporary
password and get it over with.
Impersonating a Supervisor from Another Department
Even if it is another department, it is hard to disobey someone
higher than you. This psychology can be exploited by
pretending to be the boss of another department and shouting at
them in an intimidating manner. [15] For example, "Your login
is not working," "I'm having trouble logging in." In such a
situation, only a severe system administrator would say that he
would follow the rules and not give out the password verbally.
Impersonate a Female Employee
In general, not only are women less likely to be suspected than
men, but if the manager is a man, he is likely to be more helpful
than if a man makes the request. Some people take advantage
of this and pretend to be female employees. However, not
everyone can do a female voice on the phone, so you may have
to use a voice changer or other techniques such as e-mail or chat
to make contact.
Impersonate an External Third Party
Common sense tells us that it is unlikely that anyone would leak
confidential information to an outsider so easily. However,
even if it does not reach the point of directly asking for the
password, it is easy to ask for the name, etc., and it is possible
to realize illegal access based on such information. The
following are some examples.
Impersonate a Member of the Public Service
It is relatively easy to trust an external third party, especially
when a public service member. This trustworthiness can be
used against them to extract information from them.
Pretending to be a Client, Potential Client, etc.
It is not uncommon for people to be so concerned about
upsetting a current client that they will divulge important
information if they are asked. In addition, if they think that the
person might be a future customer, they will try to answer the
questions as much as possible to get ahead. This can also be
used to find out the name of the manager.
Pretending to be a Real Customer
In this case, it is instrumental in complaining. It is challenging
for a company, especially one that manufactures and sells
consumer products, to know its customers. Therefore, there is
no way of verifying that they are customers. A further
technique is to become a regular complainant and communicate
with them to get to know them and extract information from
them. [16]
Targeting the System Administrator's Subordinates at
Lunchtime
System administrators themselves are a relatively tough nut to
crack. However, it is a very different story for their
subordinates, who are usually supporting. This is because such
a person is very likely to do something wrong or do something
wrong that should not be done. And in some cases, they may
even be happy to help you with a task that they are generally
not given.
Deliberately Contacting a Different Department
If you call the main telephone number or the department to
which the person belongs and ask about them, it is natural that
they will try to transfer the call to you. However, what if you
call a neighboring department? In many cases, the person who
tries to move the call to the person in question is relatively
pleasant. Still, in many cases, the person who tries to transfer
the call to the person in question is too lazy to take
responsibility for the call, or to remind the person that the phone
number is wrong, or in some cases, because it is physically
impossible to transfer the call. In some cases, the caller may be
tempted to hang up instead of moving the ring because it is not
physically possible. It is possible to exploit this psychology by
deliberately calling other departments to extract information
about the target person.
Phone Spoofing
Most of the above spoofing is done over the phone, as it is
easier to spoof someone as you cannot see their face, only their
voice. [17]
Disguise and Deception
For example, he was impersonating a cleaner, which often
involved breaking into premises.
E-mail Spoofing
This is a method of forging the sender of an e-mail. In some
cases, it is possible to completely impersonate someone else by
forging mail header information and eavesdropping on the
return address.
Figure 3: Impersonation Example
Misuse of Social Networking Sites
We acquire extensive information about the target's behavioral
patterns, interests, and preferences by monitoring the postings
on social networking sites. In other circumstances, they contact
the destination using a false account, trust the target and
confirm the timing of the missing target via e-mail. [18] This
time they are burglarizing or stalking the prey.
Figure 4: Ransom Attacks (justprivacy.org)
Cases of Social Engineering
The damage caused by social engineering is increasing every
year. In 2017, a major airline was tricked by an e-mail claiming
to be from a business partner and defrauded 380 million dollars.
In 2018, the names and mobile phone numbers of 52 interns at
a public hospital were compromised by an attacker posing as a
doctor. In 2018, a significant crypto-asset (virtual currency)
exchange leaked crypto-assets because an attacker sent
malware-laden e-mails to employees after building trust with
them through frequent e-mails and phone calls over the
previous six months. [19] This is a typical social engineering
technique.
Reverse Social Engineering
In social engineering, the social engineer approaches the target
in some way to achieve the goal. On the other hand, reverse
social engineering is a type of social engineering in which some
mechanism is set up beforehand, and the target takes action of
their own volition to achieve the goal. Some examples are as
follows:
1. Fake Emergency Contact Details
A fake e-mail is sent to the system administrator saying that the
emergency contact details for a hardware or software
maintenance company have changed and will be contacted in
the event of a problem. Because they think it is the maintenance
company and are in the middle of a problem, they are sure to
tell you anything you want to know. [20] In this case, they may
wait for trouble and attack the system from the outside, for
example, by disabling it.
A similar trick is to give a fake business
card with a fake mobile phone as the contact number.
2. Fake Website
The user is taken to a fake website and asked to enter a
password. This is similar to Web Spoofing.
3. Trojan Horse
A system in which a program is somehow placed in a user's
computer guides the user to enter authentication information
to obtain that information.
Figure 5: Phishing Cases by Year
Web Spoofing
In essence, this is a method of gaining access to a fake website,
which in some way appears to be the real thing, and obtaining
the information entered there. [21] It is also a form of reverse
engineering. It is a fake website and, therefore, a form of
impersonation, but it is also a form of reverse engineering as it
is achieved through the user's actions.
Some examples of how to get people to visit a fake site include:
1. False DNS information
2. Use of misleading URLs or domain names
3. To make you press an incorrect URL in your e-mail.
4. Registering this false information in famous search engines.
5. Creating fake links and deceiving users with counterfeit
URLs.
There are also ways of getting people to enter information via
the web without pretending to be a fake where the real thing
exists. [22] Here are some examples:
i. When you open a page, a JAVA script (e.g., a web browser)
prompts you to enter your ID and password in a dialog box, as
if the provider were doing this for you to obtain information.
ii. Set up a website with the sweepstakes, let people apply, and
get information.
iii. In addition to obtaining some personal information,
passwords for free e-mail services are easy to guess because the
person is likely to use the same password elsewhere. Not only
does this provide some personal information, but it also makes
it easier to guess the password for the free e-mail service as the
person is likely to use the same password elsewhere.
Social Engineering and Its Importance
The different forms of social engineering attacks and the
aforementioned tactics, such as DNS spoofing, web spoofing,
etc., are evident. Security is needed where danger occurs. So,
the attacks on social engineering enhance a feeling of gadget
safety indirectly. [23] Measures are as vital as security as
precautions to identify assaults and to adopt the following
advice to detect these attacks at the institutional and individual
levels:
Laws Regarding Social Engineering Attacks
Social engineering is mainly fraud, determined by Article 415
of the Australian Criminal Code, 1860 (in a short period of
CPI). It says that when anyone intends to deceive another
person is dishonest or fraudulently induced anyone to deliver
any property or to save any ownership such a person to do or
jump to do the Act that the person would not do if they were
not deceived, therefore making it impair or cause damage to
such a person in the body, mind, reputation or property. [25]

1. All employees should be adequately trained.

2. Spread the word of security attacks.
3. Software to protect against cyber-attacks should be promoted.
4. Social engineering attacks need to be identified.
5. Websites with the authenticated certificate should be used.
6. Users must think twice before sharing credentials.
7. Should verify the authenticity of websites before proceeding
to the payment.

Figure 7: Coin Miner Malware (McAfee Labs)

Backing Deception to Gain Property

One constant component is a disappointment to obtain property
or penetration in all kinds of social engineering attacks. These
sorts are generally internet deception tactics, and other false
papers are also utilized for these deception activities, including
bonds, agreements, trademarks for established brands, etc.,
together with identity impersonation. [26] Forging documents
attracts the penal provision defined in Section 463 of the IPC,
which states that the preparing of false documents, which
include electronic records to commit fraud against any person
or the general public for any damage or injury, fraud as a claim
to the title, supporting claims, divisions of property or entering
into express or implied contents of the document.

Figure 6: Social Engineering Stats According to Nerds

Support
These are some of the steps to avoid social engineering assaults
from being done by users. These attacks threaten society by
altering its members' economic structure. [24] The only
essential role that Social Engineering performs is giving a sense
of security in the cyber world. Otherwise, it just plays a
negative part, as these attacks cannot be removed due to
unpredictable developments in the cyber world.
Figure 8: Social Engineering 2020 Insights
Preparation by Unfair and Fraudulent Intentions of False
Documents
In addition, IPC section 464 defines the preparation of false
documents. False documents are produced with dishonest and
fraudulent intentions that may include seal, sign, document
execution, the transmission of or part of an electronic record,
the annexation of an electronic signature, marks the
authenticity of an item or marks made in the name of a fictional
individual claiming it to be a natural person. [27] In different
sections, chatting, impersonation, and forgery are penalized,
depending on the situation and the facts.
III. METHODOLOGY
Since the questions are theoretical rather than practical, it is
natural to seek the answers to the questions in the literature
relevant to the subject. In my choice of literature, I have tried
to create a broad literature base to get as wide a knowledge base
as possible. [28] For this reason, I have chosen a book written
by a well-known and notorious hacker and books that give
widely differing approaches to hacking, from a
historical/philosophical/biological strategy to a description of
hacking as national warfare/terrorism. Newspaper articles
provide additional information on social engineering,
indicating the prevalence and possible impact of attacks.
Social Engineering Attacks Overview
To understand social engineering as a method of
misappropriating information or services and as a threat to
personal and public information security, I begin by examining
the attack process and the methods used to gain the recipient's
trust.
First of all, it is essential to distinguish between the two types
of attacks that occur. Large-scale rapid attacks include e-mail
or website scams. These attacks are characterized by many
people being contacted, and the fraudster spends no time
building a relationship or doing research to appear credible. [29]
Examples of this type of attack are spam messages advertising
that the recipient has won something or has been selected for
an offer and only needs to provide their details to receive the
prize. For most of us, quick attacks are often accessible to see
through and distinguish from legitimate messages as often they
are hastily written or poorly translated. The aim of these attacks
is not to fool everyone who is contacted, but that it is enough
for someone to be fooled occasionally for the attack to succeed.
[30]
Slow-focused attacks are scams that target a specific company
or individual. The attack is carefully planned and well prepared.
Unlike the fast attacks, the slow attacks are much more
challenging to see through and require that everyone contacted
is completely fooled for the fraud to succeed. The quick attacks
can be considered relatively easy to protect against. A little
common sense and a reasonable dose of suspicion should be
enough to protect yourself. Therefore, this work concentrates
on the focused attacks.
Acquire Information
A social engineer has to do a lot of pre-work before the attack,
finding out the jargon and common vocabulary of the targeted
organization. Often this information is freely downloadable
from the Internet or easily accessible on the company's website
or intranet. [31] Suppose the organization has been security-
conscious enough to protect such information. In that case, it
can often be accessed through social engineering by
switchboard operators or administrators, as it appears harmless
and is considered not to be used for mischief. However, the
information is hazardous because it allows the engineer to
appear to be someone in the company, therefore, be trusted.
More sensitive information can be disclosed.
Another way to obtain information is dumpster diving. By
searching the company's dumpster, one can find a lot of
valuable information. Internal telephone directories, computer
manuals, employee information, notes, and drawings can be
found in the garbage. [32] Even if the organization has
procedures for destroying confidential and perhaps even
internal communication, a lot of information is considered
harmless. Still, it could be exploited by a social engineer, such
as letterheads and signatures, memos, and notes.
Social networks are also widely used by social engineers to
obtain information about employees and the company and then
to use that information to gain the sympathy and trust of the
recipient. [33].
Planning the Attack
The preparations are described by an industrial spy and
professional social engineer as follows:
"You have to plan. Find out what buttons to push to get
them to line up, find out what they want, what they need.
Plan the attack. Be patient, do your homework. Figure out
what role you're going to play and learn to replicate. Don't
walk in the door until you're ready."
The engineer then maps the organization itself, internal
numbers and departments, software used, names of people and
information resources, and other information that could be
useful in an attack. At this stage, he finds a suitable identity and
role to play in the episode. Even this information is accessed
through social engineering by employees accustomed to
providing information to whoever needs it and perhaps state
reasonably legitimate identities and reasons. [34] If the
engineer presents his question or request as entirely honest, the
recipient rarely has reason to question this. Moreover, the
engineer is often pleasant and plays on the recipient's
willingness to help.
Implementing the Attack
"to act in such a way and in such a direction as to benefit
oneself and, so that one does not realize that he or she has
been deceived is the greatest gain of all."
Finally, the attack takes place in one or more stages. The most
common method for all scenes of the episode, from information
gathering to attack, is telephone calls, and of course, the
Internet and e-mail. Physically visiting the organization is often
considered risky and is avoided if possible. Meeting someone
physically makes it that much easier to determine whether they
are telling the truth or lying. [35] We can see facial expressions,
body language combined with the voice tone, inflection, and
other non-vocabulary communication, and it is much harder for
the engineer to be trustworthy.
A skilled social engineer can find out virtually anything in an
organization, even what all employees consider unthinkable to
disclose to a stranger who is not part of the organization. [36]
The engineer accomplishes this by posing as different people
depending on the information sought and using other methods
to get people to disclose the information sought.
Building Trust
An essential part of social engineering is that what is requested
must be perceived as a reasonable request by the person the
engineer is pretending to be, lest the recipient is suspicious. It
is a matter of distorting the truth and presenting a lie as truth to
create a distorted basis for the recipient's decision so that what
should be impossible appears perfectly reasonable. [37] Once
trust has been established, it is simply a matter of maintaining
it. Most people rarely change their minds despite the warning
lights.
Suppose the recipient still seems to become suspicious. In that
case, the engineer must manage to reassure and give a
reasonable explanation so that the suspicion subsides, and then
it may be wise to end the call as soon as possible. If the victim
becomes suspicious, there is a risk that they will spread the
word to colleagues who will become more suspicious of strange
phone calls and charming strangers with questions. All of this
means that social engineers must be highly perceptive people-
watchers to become proficient in their occupation. [38] Hearing
whether the person feels trust or suspicion for the social
engineer can determine whether the attack succeeds or fails.
One tactic is to ask a personal question to determine the
recipient's level of cooperation and suspicion.
Commonly, the social engineer asks for information that seems
relatively innocuous to the recipient but combined with other
information the engineer receives in another call. It poses a
significant threat to the organization's information security. It
allows the engineer to access the information he wants. One
trick to hide the questions you want to be answered is to ask
them in combination with other wholly innocent and
unimportant questions. In an attempt to hide the questions
asked, some trivial questions are often asked at the end. If the
recipient later thinks back on the conversation, the latter
questions are likely remembered.
Another tactic is to gain the trust of a person in the company by
working with them over a long period to build trust, and then
let the deceived person on the inside do what you want. [39] In
this way, the social engineer runs a minimal risk of being
caught if they have managed the contact well and ensured that
the connection could not be traced.
It is essential not to forget that social engineering is often only
a means to reach the information or system the engineer wants
to access, and rarely the goal itself. It is a way to get in and get
access to get what you want quickly. As technical security
improves, the social attack route is likely to be used more often
than purely technical hacking. Manipulating people is
becoming easier in comparison to the increasingly secure
technical solutions being used.
IV. ANALYSIS RESULTS
The methodology has changed in recent years for more
significant and targeted attacks such as industrial espionage.
From working on a broad front and attacking in many places,
intelligence has changed its approach to carefully identifying
certain people of interest.
The mapping aims to find a way to reach the person, a loophole
or weakness in their habits or the information resources they
are responsible for. This may involve, for example, placing a
Trojan on a frequently visited website. [40]
The weakest link in information security is always people. No
matter how many secure systems, firewalls, authentication
methods, IPS/IDS systems are installed, they are all of no use
unless the person who will manage and work around these
systems and security products has been trained in their proper
use and handling. Employees who lack training and
understanding of information security and how the
organization's information assets are protected risk sabotage
information security by disclosing information to social
engineers. These employees can often be new hires or
temporary workers who have not been informed about what
information can be disclosed to whom and long-standing staff
who have not received the necessary training. Lower-level
employees may constitute the latter group and are therefore
often targeted by the social engineer. [41] Because they lack
training in information security, they do not recognize the
social engineer's tricks as hoaxes. Still, they perceive them as
lovely, authoritative, but friendly people, and they often want
to assist the engineer.
Figure 9: Phishing Attacks in 2018
It is also essential to train staff to understand the value of login
information and different codes. They must be treated as
sensitive information that is not disclosed. A policy should also
be put in place that information will not be released until the
request can be confirmed and the identity of the enquirer
verified. Staff should be trained to ask themselves what the
information could be used for by a malicious person before
disclosing information to someone they do not know personally
and are sure they are who they say they are. They must also be
trained not to carry out commands of which they do not know
the effects. Making this a practice prevents and hinders the
social engineer.
Occurrence and Harmfulness
To assess whether or not social engineering is a threat to
information security and how significant this threat is, one must
look at its prevalence and potential harm.
Likely, many social engineering incidents that occur are never
detected [42]. Many organizations choose not to report those
seen, as disclosure could damage customer trust, resulting in
even more significant losses than the breach itself. The likely
large number of unreported cases makes it difficult to figure out
the prevalence of social engineering.
Social engineering is rarely the target of an attack but merely a
means to reach the information or service sought. Therefore,
like most information security attacks, a social engineering
attack's potential impact and scale can range from devastating
to barely noticeable. A breach that is not publicized and did not
involve the theft or sabotage of critical information will have
minimal impact on the affected organization. Apart from the
fact that the organization should conduct an internal
investigation and review its security, the breach is unlikely to
have repercussions. [43] However, a violation that becomes
public knowledge may result in the organization not being
considered trustworthy and secure to engage or work with,
leading to the loss of suppliers, partners, and customers. Such a
loss is difficult to overcome and may lead to bankruptcy.
Information theft can mean that the company's goods (e.g.,
software code, drawings) are leaked and can be used by
competitors. If the company loses the ability to sell its product,
it also loses revenue, leading to bankruptcy in the worst case,
unless it can develop a new product.
Effective measures against social engineering
There is no end to the damage caused by social engineering.
The theft and stalking of individuals, as well as large
corporations, is becoming a significant threat. However, the
following measures can significantly reduce the risk of being
victimized.
Do not give your ID or password to anyone over the phone
Posing as your boss or business partner is becoming more
common. Telephone calls should be treated with caution as they
are voice-only, and the caller cannot be identified. If you need
to communicate IDs and passwords to someone remotely, it is
advisable to use a combination of methods, e.g., ID over the
phone and password by e-mail. [44]
Attach privacy filter to display and turn on privacy function
By attaching a privacy filter to the display of your computer or
smartphone, you can reduce the left and right viewing angles.
This will help to prevent prying eyes from behind. If the
product has a privacy function that narrows the viewing angle,
you can achieve the same effect by turning on the privacy
function.
Never leave vital information on your desk unattended
If you go documents with IDs, passwords, or customer
information printed on them on your desk, there is a risk that a
third party may see them. Ensure that essential documents are
not left on your desk but stored in a lockable cabinet before
leaving. [45]
Shred documents before throwing them away to prevent
information from being read.
If you throw your documents straight into the bin, there is a risk
that the contents will be stolen and deciphered. Some people
consider it OK to tear a paper a couple of times by hand, but
that level of shredding is almost useless. Shredders that can
shred to a macroscopic level and confidential document
collection services that pick up a certain number of documents
at a time will eliminate such concerns.
Ensure that storage media is erased before disposal
Unwanted storage media should be securely erased using
special software. For example, hard disk drives should be
physically destroyed with a hammer before removal. Each
medium has its storage mechanism, and if you understand this
and take the appropriate measures, you will be less likely to
have information stolen from your discarded storage media. [46]
Do not use social networking sites to reveal information
about your activities or your company
You should be aware that posting information on social
networking sites, such as your plans for the future or
information about your company, is no different from shouting
in a public place. If it becomes clear that you are not there, you
may be vulnerable to burglary. Or, if you are open about your
interests, tastes, and behavior, you may be stalked. There is also
the possibility of someone guessing your password based on the
information you have collected. There have been cases where
people have used their spouse's wedding anniversary as a PIN
code, only to have it quickly spotted.
Beware of direct messages on social networking sites
Beware of direct messages from strangers on social networking
sites. Even if it's a direct message from someone you've
exchanged a few words with, don't be tempted to open the link
in the statement. This is especially true these days when
hijacking accounts to send out spam is a common practice. If
you do need to open it, you should only do so if you have good
security software installed on your computer. [47]
Need for awareness of Social Engineering Attacks
Social engineering exploits human psychological
vulnerabilities to achieve its goals. There is no doubt that social
engineering attacks will continue to increase in the future, both
for individuals and employees. All seven of the measures above
have one thing in common: They are all dangerous and require
constant vigilance.
Social engineering, in particular, is a method of catching people
off guard. As long as people do not act on their initiative, there
will be vulnerable points somewhere. Therefore, if you have
access to security software and other safety tools, you should
actively consider using them. [48] The more time and
opportunities we spend using services in the digital space, the
greater the risk of being victimized by social engineering. We
need to be aware of this risk and how we can act accordingly.
Bringing the provisions of the Information Technology Act
of 2000 to light
The Informatics Act of 2000, Sections 65 to 66D, deals with
impersonation and cheating crimes. Section 71 concerns
misrepresentation and deletion of material information for
licensing, which is cheating, and a fallacy since they are done
in an attempt to fool. Section 68, 69, 70, and 71 also deal with
non-compliance with the government instructions and
notifications. Section 72 concerns leak in data, while Section
72A concerns the entire range of assaults of social engineers
because it penalizes those whose access to personal information
was obtained without another person's permission or in
violation of a legal contract to cause them mistaken losses or
improper gains. Sections 73 and 74 concern the forgery of
certification by electronic signatures. [49]
The additional territorial operations of the Act, 2000 is dealt
with in Section 75 of the Information Technology Act since it
says that any computer, computer system, or network source is
located in Australia and used for offenses outside of Australia
and that this person is liable for the violation of their provisions
according to the IT Act 2000, irrespective of his nationality.
This implies, if someone hacks a computer source and makes
mistaken profits or misdemeanors, that individual is
responsible. Section 4 of IPC also demands the extra-territorial
operation of IPC in the same manner and encompasses, in
particular, any act that someone outside Australia targets any
computer resource in Australia. [50] This also involves attacks
on social engineering. Following IPC provisions, such as
Sections 417 to Sections 420 for cheating and Sections 465 of
Sections 477A, there are different penalties for various offenses
with minimum three-month and maximum life imprisonment
under multiple sections of both laws. The IPC provisions have
numerous penalties for multiple violations.
Central government steps towards cyber security awareness
The Central Government has made specific efforts to avoid and
mitigate cyber security issues. [51] The following are:
1. Following Section 70A of the Information Technology Act,
a National Protection Center for Critical Information
Infrastructure is created.
2. Issue of cyberthreats and countermeasures warnings and
notices by CERT-In.
3. Issue the guidance on the primary duties and responsibilities
of the Chief Information Security Officer (CISOs) in protecting
applications/infrastructure and compliance.
4. Provision before and subsequently at regular intervals for
audits of government websites and apps.
5. Security auditing organizations to assist and audit the
execution of best practices in information security.
6. Crisis management plan design for cyber assaults and cyber
terrorism.
7. Conduct regular cyber security and simulated exercises to
test governmental and critical sector enterprises' security stance
and preparation.
8. Conducting frequent training programs on information
infrastructure security and cyber threats for network/system
administrators and heads of government and critical sector
organizations.
V. RECOMMENDATIONS
Social engineering is a significant threat to information security
in companies and organizations and individuals. As
technological security improves, more malicious people will
choose the easier way to achieve what they want using people
to gain information or access resources. To prevent this
opportunity from being exploited, we must eliminate or at least
reduce it.
When it comes to information security, many focus on technical
security. Technical solutions such as firewalls, IDS,
authentication, encryption, restricted access, and permission
rules can, of course, prevent attacks and are, therefore, very
important for the organization's information security. But
technical security is only half of the information security and
can only protect if the technology is used correctly. Therefore,
to ensure that technical protection covers, administrative
security is required in monitoring and controls, follow-up,
established policies and procedures.
VI. CONCLUSION
Social engineering is essentially nothing unusual, and most, if
not all people, use it from time to time. We play on the
recipient's sympathy and empathy for our situation to get our
way or authority when we show nothing to discuss. All the
methods a social engineer uses to get what he wants, we use too,
although often quite unconsciously. It's part of the social game
that all interpersonal communication consists of. The difference
is that the engineer has mastered the art of social engineering
and can use it to the full consciously and deliberately to gain
trust and get in our way.
One of my main goals in this study was to find suitable
prevention methods. One idea from the beginning was that it is
mainly about staff training. After studying the subject, I found
that my thought was correct. However, I was wrong in the [13]. Luo, X., Brody, R., Seazzu, A., & Burd, S. (2011, July 1).
wording. It is essentially about prevention rather than Social Engineering: The Neglected Human Factor for
prevention. Stopping an attack from happening seems Information Security Management. Information Resources
impossible. Preventing an attack in progress from continuing Management Journal (IRMJ).
and eventually succeeding is entirely possible. To do that, all
staff must be trained, not once on recruitment, but repeatedly. [14]. Thornburgh, T. (2004). Social engineering. Proceedings
The training must be designed to take the knowledge gained of the 1st Annual Conference on Information Security
from it and carry it on the job. There needs to be an Curriculum Development - InfoSecCD '04.
understanding of why it is crucial to have long, complex
passwords that are so difficult to remember (it may be wise to [15] [38]. Workman, M. (2007). Gaining Access with Social
teach ways to build strong passwords that are nevertheless easy Engineering: An Empirical Study of the Threat. Information
to remember). Participants need to know what a malicious Systems Security, 16(6), 315–331.
person can do with the company's assets and how a negative
person can exploit staff to gain access to them. Technical [16]. Byrne, R. (2020). The Importance of Cybersecurity
security solutions are fundamental to ensure information Awareness Training on Small Corporations to Reduce the Risk
security, but only when the entire workforce has a good security of a Social Engineering Attack - ProQuest.
awareness and is committed to information security can we feel
reasonably safe from attacks. [17]. Gupta, S., Singhal, A., & Kapoor, A. (2016). A literature
survey on social engineering attacks: Phishing attack. 2016
VII. REFERENCES International Conference on Computing, Communication, and
Automation (ICCCA).
[1]. Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2015).
Advanced social engineering attacks. Journal of Information [18]. Hoang, N. P., & Pishva, D. (2014). Anonymous
Security and Applications, 22, 113–122. communication and its importance in social networking. IEEE
Xplore.
[2]. Hadnagy, C. (2010). Social Engineering: The Art of
Human Hacking. In Google Books. John Wiley & Sons. [19]. Kotenko, I., Stepashkin, M., & Doynikova, E. (2011,
February 1). Security Analysis of Information Systems Taking
[3]. Peltier, T. R. (2006, November). Social Engineering: into Account Social Engineering Attacks. IEEE Xplore.
Concepts and Solutions.
[20]. Krombholz, K., Hobel, H., Huber, M., & Weippl, E.
[4]. Huber, M., Kowalski, S., Nohlberg, M., & Tjoa, S. (2009). (2013). Social engineering attacks on the knowledge worker.
Towards Automating Social Engineering Using Social Proceedings of the 6th International Conference on Security of
Networking Sites. 2009 International Conference on Information and Networks - SIN '13.
Computational Science and Engineering.
[21]. Salahdine, F., & Kaabouch, N. (2019). Social Engineering
[5]. Abraham, S., & Chengalur-Smith, I. (2010). An overview Attacks: A Survey. Future Internet, 11(4), 89.
of social engineering malware: Trends, tactics, and
implications. Technology in Society, 32(3), 183–196. [22]. Simpson, S. P., & Field, R. (1947). Social Engineering
through Law: The Need for a School of Applied Jurisprudence.
[6]. Mouton, F., Leenen, L., & Venter, H. S. (2016). Social New York University Law Quarterly Review, 22, 145.
engineering attack examples, templates, and scenarios.
Computers & Security, 59, 186–209. [23]. Bullée, J.-W. H., Montoya, L., Pieters, W., Junger, M., &
Hartel, P. (2017). On the anatomy of social engineering attacks-
[7] [8] [9] [10]. Irani, D., Balduzzi, M., Balzarotti, D., Kirda, A literature-based dissection of successful attacks. Journal of
E., & Pu, C. (2011). Reverse Social Engineering Attacks in Investigative Psychology and Offender Profiling, 15(1), 20–45.
Online Social Networks. Detection of Intrusions and Malware,
and Vulnerability Assessment, 55–74 [24]. Bullée, J.-W. H., Montoya, L., Pieters, W., Junger, M., &
Hartel, P. H. (2015). The persuasion and security awareness
[11]. Applegate, S. D. (2009). Social Engineering: Hacking the experiment: reducing the success of social engineering attacks.
Wetware! Information Security Journal: A Global Perspective, Journal of Experimental Criminology, 11(1), 97–115.
18(1), 40–46.
[25.] Gonzalez, J. J., Sarriegi, J. M., & Gurrutxaga, A. (2006).
[12]. Conteh, N. Y., & Schmick, P. J. (2021). Cybersecurity A Framework for Conceptualizing Social Engineering Attacks.
Risks, Vulnerabilities, and Countermeasures to Prevent Social Critical Information Infrastructures Security,
Engineering Attacks. Ethical Hacking Techniques and
Countermeasures for Cybercrime Prevention.
 [26]. Heartfield, R., & Loukas, G. (2018). Detecting semantic
social engineering attacks with the weakest link:
Implementation and empirical evaluation of a human-as-a-
security-sensor framework. Computers & Security, 76, 101–
127.
[27]. Heartfield, R., Loukas, G., & Gan, D. (2017, June 1). An
eye for deception: A case study utilizing the human-as-a-
security-sensor paradigm to detect zero-day semantic social
engineering attacks. IEEE Xplore.
[28]. Karpati, P., Sindre, G., & Matulevicius, R. (2012, April
1). Comparing Misuse Case and Mal-Activity Diagrams for
Modelling Social Engineering Attacks. International Journal of
Secure Software Engineering (IJSSE).
[29]. Laribee, Barnes, Rowe, & Martell. (2006, June 1).
Analysis and Defensive Tools for Social-Engineering Attacks
on Computer Systems. IEEE Xplore.
[30]. Li, T., Wang, K., & Horkoff, J. (2019). Towards Effective
Assessment for Social Engineering Attacks. 2019 IEEE 27th
International Requirements Engineering Conference (RE).
[31]. Nohlberg, M. (2018). Securing Information Assets:
Understanding, Measuring and Protecting against Social
Engineering Attacks. DIVA; Institutionen för data- och
systemvetenskap (tills m KTH).
[32]. Parthy, P. P., & Rajendran, G. (2019). Identification and
prevention of social engineering attacks on an enterprise. 2019
International Carnahan Conference on Security Technology
(ICCST).
[33]. Saleem, J., & Hammoudeh, M. (2017). Defense Methods
Against Social Engineering Attacks. Computer and Network
Security Essentials, 603–618.
[34]. Sawa, Y., Bhakta, R., Harris, I. G., & Hadnagy, C. (2016,
February 1). Detection of Social Engineering Attacks Through
Natural Language Processing of Conversations. IEEE Xplore.
[35]. Scheeres, J. W. (2008, March 1). Establishing the Human
Firewall: Reducing an Individual's Vulnerability to Social
Engineering Attacks. Apps.dtic.mil.
[36]. Smith, A., Papadaki, M., & Furnell, S. M. (2013).
Improving Awareness of Social Engineering Attacks.
Information Assurance and Security Education and Training,
249–256.
[37]. Spinapolice, M. (2011). Mitigating the risk of social
engineering attacks. Theses.
[39]. Alavi, R., Islam, S., & Mouratidis, H. (2015). Human
Factors of Social Engineering Attacks (SEAs) in Hybrid Cloud
View publication stats
Environment: Threats and Risks. Communications in
Computer and Information Science, 50–56.
[40]. Astakhova, L. V., & Medvedev, I. A. (2021). An
Information Tool for Increasing the Resistance of Employees
of an Organization to Social Engineering Attacks. Scientific
and Technical Information Processing, 48(1), 15–20.
[41]. Atwell, C., Blasi, T., & Hayajneh, T. (2016, April 1).
Reverse TCP and Social Engineering Attacks in the Era of Big
Data. IEEE Xplore.
[42]. Clarke, N., & Furnell, S. (2015). Proceedings of the Ninth
International Symposium on Human Aspects of Information
Security & Assurance (HAISA 2015). In Google Books.
Lulu.com.
[43]. Fathollahi-Fard, A. M., Hajiaghaei-Keshteli, M., &
Tavakkoli-Moghaddam, R. (2018). The Social Engineering
Optimizer (SEO). Engineering Applications of Artificial
Intelligence, 72, 267–293.
[44]. Ivaturi, K., & Janczewski, L. (2012). A Typology Of
Social Engineering Attacks -An Information Science
Perspective (p. 145).
[45]. Maraj, A., Rogova, E., & Jakupi, G. (2020). Testing of
network security systems through DoS, SQL injection, reverse
TCP, and social engineering attacks. International Journal of
Grid and Utility Computing, 11(1), 115.
[46]. Mashtalyar, N., Ntaganzwa, U. N., Santos, T., Hakak, S.,
& Ray, S. (2021). Social Engineering Attacks: Recent
Advances and Challenges. HCI for Cybersecurity, Privacy and
Trust, 417–431.
[47]. Neupane, A., Satvat, K., Saxena, N., Stavrinos, D., &
Bishop, H. J. (2018). Do Social Disorders Facilitate Social
Engineering? Proceedings of the 34th Annual Computer
Security Applications Conference.
[48]. Raman, K., Baumes, S., Beets, K., & Ness, C. (2015).
Social-Engineering and Low-Tech Attacks. Computer Security
Handbook, 19.1–19.25.
[49]. Ryan Shi, Z. (2019, January 3). Towards Thwarting Social
Engineering Attacks. DeepAI.
[50] [51]. KING, D. (2007). The American State and Social
Engineering: Policy Instruments in Affirmative Action.
Governance, 20(1), 109–126.