Definition: Social engineering (in the context of information security) is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
The current pandemic (COVID-19) has offered a plethora of opportunities for the bad-actors to put their social engineering skills to wreck mayhem.
Sudhakar S Narayan, SSD TECH
As cybersecurity professionals, we have been seeing an exponential growth in the use of social engineering techniques by bad-actors to obtain confidential information. We have seen bad-actors exploiting every possible social emergency to their advantage and this pandemic is no different. The current pandemic has offered a plethora of opportunities for the bad-actors to put their social engineering skills to wreck mayhem. The COVID-19 pandemic, with most of us working remotely, has created a vulnerability for businesses, employees being suddenly exposed to remote productivity tools with minimal training on cybersecurity. Bad actors have exploited this vulnerability and have managed to access highly sensitive business information. We have seen instances where the personnel from finance departments have been targeted and psychologically manipulated to divulge sensitive information like bank account details and access credentials. SMEs have been hard hit and it has been a double whammy for these businesses during these troubling times.
We have noticed bad actors have become highly proficient in the use of social engineering and getting sophisticated every day. The other day I encountered such an act personally which I am putting down here as the conversation occurred between a perpetrator and me.
I received a call on my mobile phone from an unknown number based out of Europe. As I have some professional engagements in Europe I expected this to be a call from such a client. But it turned out to be a phishing call and this gentleman was trying to use his social engineering skills on me. The call went like this:
Mr. X: “Hello is this Mr. S? I am calling from “a well-known” express courier company. We have a package for you and due to the current COVID issue, we are unable to deliver to you on time. Apologies for that. In order for us to deliver this package to you, we need you to go to your email and follow a link that we will be sending you. You will have to click on that link and follow the instructions on it to complete the process. Please confirm if your email id is so-and-so@xyz.com?”
I: “Oh thanks for the call. Yes, my email id is correct as mentioned by you.”
Mr. X: “Ok great. Do you have access to your email now? I will send the link right away?”
I (wondering why such an urgency) asked him: “Can you tell me where this package is from?”
Mr. X: “Oh sir, it is some private package and I am unable to get any information across to you.”
I (by now I was able to identify this as a social engineering attack wanted to play along and corner Mr.X): “But can you not tell me who sent the package to me? I am sure you can.”
Mr. X: “Uh, Hmm, well let me check.” (After a brief pause) “It is from the tax authority.”
I (now I was able to imagine where this conversation is heading): (With an impish grin) “Oh is it? Which country’s tax authority is it from?”
Mr. X: “Well the package says private and I cannot tell you where it is from” (I could sense the frustration in his voice now) and he continued, “Sir, do you have access to your email now?”
I: “Well I am busy now. Why don’t you send me the email and I will respond to it whenever I am free”
Mr. X: “No Sir, I need to be online with you and assist you as you respond”
I: “It’s fine I am educated enough to fill in forms, you can send me the email with the links and I will respond at leisure”
Mr. X: “No Sir, I cannot do that, can you tell me when you can get access to your email and I can call you back”
I was enjoying this conversation, I was blocking this bad actor from accomplishing his nefarious deeds, but I was also pre-occupied with some other important work so I decided to curtly cut the call.
I: “Well, I will access my emails only after 2 weeks, can you call me then?”
Mr. X: “Oh, why? So long?”
I: “Yeah its lockdown and I do not have access to my computer”
Mr. X: “ Oh ok” and cuts the call. He must have realized his proverbial cat was out of the bag.
How did I ascertain this call was a phishing (social engineering) attack? Well, it was because of the following reasons:
- I could sense impatience in Mr.X’s voice and an unwanted sense of urgency for a courier company call center agent.
- He was claiming to be calling from the local branch of this well-known courier company and I could clearly see a European phone number on my phone’s screen.
- The email address mentioned by Mr. X is from a free email provider who has had a history of cyber breaches in which more than 500 million user data were stolen. And I never use that for any official communications, especially with the tax authorities.
- During the conversation, Mr. X was pushing his luck very hard to get me onto a spoof website, where he wanted me to divulge more sensitive information that may potentially cause harm to me personally and professionally.
Nowadays this scene is very commonly enacted around the world and many people fall prey to these dangerous predators.
How to prevent social engineering attacks?
As a cybersecurity professional what would be my advice to my clients on handling such phishing (social engineering) attacks? I would answer in the following points:
- Never trust any caller from a number that you do not recognize.
- Don’t get pushed. Ask why this urgency?
- If you feel suspicious, then start asking probing questions. This will put off the perpetrator. But if the caller is genuine, he will patiently answer those.
- Be in control, you must decide for yourself before giving any sensitive information. It is perfectly fine if you don’t want to.
- Always remember, “It is better to be safe than being sorry”
To the business leaders: roll out more awareness programs to your teams so they can effectively handle such situations. Reach out to professionals to design and execute the awareness programs.
About the author
Sudhakar S Narayan is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified lead auditor in ISO Information Security Management System (ISMS) and ISO Business Continuity Management System (BCMS). He has more than two decades of experience in Information Assurance. He is currently a Principal Consultant and Director at SSD Tech.