Professional Documents
Culture Documents
net/publication/354849736
CITATIONS READS
0 2,034
1 author:
SEE PROFILE
All content following this page was uploaded by Faisal Ahmed Ghauri on 26 September 2021.
There are many threats to information security. These threats Social engineering is a method of stealing important
can be Physical, such as theft or sabotage of hardware. Or more information from individuals by taking advantage of
Catastrophic, such as floods and fires. Information security is psychological gaps or errors in human behavior. Originally a
also threatened by hackers who want to destroy or gain access computer security term, social hacking is the Act of gaining
to information that should be inaccessible to them. These access to identities and passwords without malware.[4]
threats are often talked about and known by IT professionals Social engineering techniques are becoming more sophisticated
and ordinary IT users alike. Hardware and software are secured and aim to exploit gaps in user behavior, both digital and actual.
with authentication to deny unauthorized access to the system. It picks up information without the user's knowledge and uses
But what is often overlooked, and perhaps a more significant it to increase the information needed for an attack. In the digital
threat, is the potential threat posed by employees. [1] Most space, where smartphones have become an integral part of our
damage to information security is caused by employees, daily lives, users tend to be less security conscious. The misuse
knowingly or unknowingly, directly by the employee or with of technology created by technological innovation often leads
the employee as a tool within the organization. to damage.
Social engineering is a term used to describe the form of Attackers use any means to obtain the information they need to
manipulation increasingly used to gain unauthorized access to achieve their goals. [5] This can range from fraudulent use of
information by manipulating employees or individuals into accounts to commit financial fraud, to impersonating a member
giving out passwords and other sensitive data used by the social of an organization to disrupt the organizational structure, to
engineer to gain access. A typical example is pretending to be using the information they have obtained to make threats. The
IT support and "secure the system we need your password."[2] threat of social engineering has been increasing steadily over
In summary, this work will present the following: the years.
The approach of an attack
The attack's occurrence and potential harm
Profiling the engineer
Who are the targets of a social engineer?
Methods to prevent social engineering
Figure 2: Types of Manipulation
Scareware
It's a type of malware that an attacker uses to scare users via
alarming messages, pop-ups that say you own a virus or your
account is compromised. This leads to cyber security software
Figure 1: Social Engineering Attacks Categories
that compromises the personal information of the user to buy or
download free of charge. [10]
The reality is that social engineering techniques are very
diverse and are used in a variety of combinations. They are Peeping Toms (Shoulder Hacking)
applied in a very clever and resourceful way to increase their There is also a long-standing practice of a third party posing as
accuracy.[6] This section will broadly categorize the various a member of the company to look at your computer screen
methods of social engineering that have been identified so far while working on your laptop in a public place such as a café,
and explain the unique techniques for each category. either from behind your shoulder or when you leave your seat.
[11]
Various Methods of Social Engineering
Trashing
Internal Intrusion Trashing is a technique of stolen information by use of bins.
It is too early to conclude that access is safe because it is Typical waste instances include obtaining client data from
restricted by ID cards or fingerprint recognition. For example, printed materials, private papers, outdated business cards, and
criminals could use a found or forged ID card, hide behind an binding notes with IDs and passwords tossed in the rubbish bin.
employee, or impersonate a cleaner or collector. Criminals who Another option is to rob storage media (for example, hard
enter this way will steal the information they need to achieve drives, DVDs) from the garbage containers and take stored
their goals and take money or other assets. [7] information. [12].
Spoofing Impersonation
Fictitious billing and bank transfer scams, where a person It is the practice of impersonating another person to extract or
pretends to be someone else to obtain information or money, change information. Examples of identity theft include
are typical examples of social engineering. For example, a
person might pretend to be a business partner or a boss and ask 1. Impersonating the System Administrator and Deceiving
for login details over the phone or pretend to be a system the User.
administrator or contract provider. [8] They may even claim to In this case, the user does not suspect the system administrator
be the police and ask for personal information. because the system administrator can manage the user's
password and is trusted as an expert of the system. [13] A
Baiting similar situation can be seen in the relationship between user
As the name indicates, the attacker uses his natural curiosity to support and users of Internet service providers.
explore further by using free or exclusive offers to manipulate
the individual. Malware is usually sent to the target user by an 2. Impersonate a User to Fool the System Administrator
attacker. The distribution of infected equipment, such as However, System administrators have a relatively high level of
leaving USB in public places, including libraries or parking security awareness and are not easy to deceive. [14] Some
areas, is one of the baiting methods. Another way is to send e- examples are as follows:
mails with free content details. [9]
Impersonate a Novice User Targeting the System Administrator's Subordinates at
As an expert administrator pretending to be a novice user, there Lunchtime
is no more difficult job than teaching. The trick is to take System administrators themselves are a relatively tough nut to
advantage of this and pretend to be a novice user and say, "I'm crack. However, it is a very different story for their
having trouble logging in" or something similar to that effect, subordinates, who are usually supporting. This is because such
to make the administrator think that it's just a temporary a person is very likely to do something wrong or do something
password and get it over with. wrong that should not be done. And in some cases, they may
even be happy to help you with a task that they are generally
Impersonating a Supervisor from Another Department not given.
Even if it is another department, it is hard to disobey someone
higher than you. This psychology can be exploited by Deliberately Contacting a Different Department
pretending to be the boss of another department and shouting at If you call the main telephone number or the department to
them in an intimidating manner. [15] For example, "Your login which the person belongs and ask about them, it is natural that
is not working," "I'm having trouble logging in." In such a they will try to transfer the call to you. However, what if you
situation, only a severe system administrator would say that he call a neighboring department? In many cases, the person who
would follow the rules and not give out the password verbally. tries to move the call to the person in question is relatively
pleasant. Still, in many cases, the person who tries to transfer
Impersonate a Female Employee the call to the person in question is too lazy to take
In general, not only are women less likely to be suspected than responsibility for the call, or to remind the person that the phone
men, but if the manager is a man, he is likely to be more helpful number is wrong, or in some cases, because it is physically
than if a man makes the request. Some people take advantage impossible to transfer the call. In some cases, the caller may be
of this and pretend to be female employees. However, not tempted to hang up instead of moving the ring because it is not
everyone can do a female voice on the phone, so you may have physically possible. It is possible to exploit this psychology by
to use a voice changer or other techniques such as e-mail or chat deliberately calling other departments to extract information
to make contact. about the target person.
3. Trojan Horse
A system in which a program is somehow placed in a user's
computer guides the user to enter authentication information
to obtain that information.