The Financial Express

How safe are we from social engineers?

Image credit: Reuters Image credit: Reuters

With Disney’s new series ‘Loki’ trending, women and men have started to voice out their wish for a fictional character to be real. Understandably enough, no one pauses to think how the influence, if not the charm, of the ‘god of mischief’ is already vast in this mortal world. Tricksters have grown left and right along with the evolution of technology, both in number and in trickery. Is that the result of ‘social engineering’?

Some say the earliest record of social engineering is the historic event of Adam and Eve giving in to the greed of gaining power at the Devil’s impersonation of a snake. Others mention stories about a servant of a French aristocrat asking for donations to support his retrieval voyage of his exiled master’s lost treasures. With a promise to return their kindness with a percentage of the treasure, he sent random letters to anyone and everyone. Whatever the past social engineering tactics are, present-day attacks include phishing, vishing, whaling, CEO fraud, and many more similar advanced ploys.

One might think that they would never fall for scams as they are foolishly obvious. However, Saad Manzur, currently pursuing a PhD in computer science at the University of California, Irvine, recommends everyone stay humble about their own intelligence as one can never be too alert. Even though his major is somewhat similar to the skill at which social engineers tend to excel, he shares how he almost fell to a scamming ploy once.

During that ploy, a shuttle website had asked him to register for a free coupon. While registering, just after sharing his phone number in the register form, he received a call in a few seconds, in which he was asked for giving some general details before requesting his credit card info. Saad refused to share such sensitive information over an unreliable method and dropped the call.

“Most of the time, scams come as poorly-tailored phishing emails. But on occasions, extremely thought-out emails or phone calls can be frightening. The advanced ones usually target the things you would be insecure about. For example, they would say your tax is not being processed properly, your bank account is being suspended or your social security number is being compromised. It’s easy to fall into paranoia and make a mistake after seeing such notices,” said Mr Saad.

He also shared how scammers often try to impersonate government officials. They send alarming notices along with a number to call back for potentially vulnerable victims. Another social engineering ploy is a stock market scam. They convince victims to invest in non-existent stocks. Apart from these, a common scamming technique is to show a user warning about their device getting virus attacks. They offer a free device cleanup while cleaning up victims’ personal information on the other side.

Hurdco International School’s senior teacher of computer science Amio Afroz explains how spam links have harmed her Facebook account once. “Scammers create surveys, online quizzes and apps similar to the websites you often visit. But when you click on them, they take you to their altered web pages. Then they record all the information from the users to use for future social engineering attacks.”

She urges everyone to check the URL of a page while sharing personal information. If the domain is not of the website’s intended for, chances are that it is a scam. Another is to check whether the page is encrypted or not. If the protocol of a URL is HTTP instead of HTTPS, one should steer clear of sharing any information through that page.

She mentions how two-step verification methods protect her social accounts now. She also recommends locking profiles on Facebook to keep one’s photos from being used by scammers.

“Authorities of big corporations often hire white hackers to check their security faults. So, when they update with new security features, it’s better to opt for them for an extra layer of security as a consumer.”

Apart from using strong passwords, she recommends keeping the GPS off when not necessary, and not clicking on any unknown link even if it is from known people. “If my Facebook was hacked, the hacker would send links to my friends from my account. So, even my friends shouldn’t trust every link I send them,” warns Ms Afroz.

Mr Saad mentions some ways to stay aware of social engineering attacks as well. Apart from checking the URL every time one has to input any information, he reminds everyone not to fall for obvious alert messages. “Sometimes these messages keep popping up no matter how many times you close them. If that happens, simply restart the browser.” He also advises keeping authentic phone numbers of government or bank officials, and not to share any information other than through them.

He remarks with another story of one of his known persons whose savings were stolen from the bank he used to take service from. Being a developer himself, the victim attempted to access his personal information on the bank’s database when they refused to take any responsibility for his loss. To his surprise, he not only could enter the bank’s database without a sweat but also saw his password saved in plain text without any encryption.

Therefore, Saad leaves a little layman advice for basic developers, “Encrypt database passwords, implement multi-factor authentication, control SSH access to your server, use private keys to connect, do not use default passwords, avoid dictionary words, and do not use generic default username.” He also advises the consumers to opt for multi-factor authentication even if it feels like a hassle.

No one wants to be tricked by anyone unless it is the mischievous god himself, especially, when one’s time and hard-earned wealth is on the line. Most of us are already aware of basic phishing texts saying our bKash account has been suspended for suspicious transactions, but not to forget that even Heimdall (fictional character) - the All-seer - sometimes fails to see through Loki’s trickery.

Perhaps in this era of technology, it is time to stop joking about people who lock their profile on Facebook. As the growth of machinery is meant to go forward, we, as consumers of technological features, should keep ourselves updated on the security part as well. Maybe the next time you receive an email saying the Nigerian prince wants to give you a gold bar, try asking if they could send fifty of them.

Mehenaz Sultana is a student of English at Shahjalal University of Science and Technology. E-mail-[email protected]


Share if you like