• +2348141969381
  • connect@nogofallmaga.org
Facebook-f Twitter Instagram Linkedin

Evading In-Person Social Engineering Attacks

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Man is a social animal and as such interaction with others is both necessary and unavoidable. Unfortunately, there are some who seek to exploit these interactions for nefarious purposes. Social Engineering is the practice of manipulating others to get sensitive information. It is the use of weaknesses in people to access private or sensitive data in secured systems. Typically, it entails manipulating psychological or emotional processes of humans with the aim of getting confidential information. This is usually carried out online through phishing, smishing, whaling, and in-person with the physical contact between a cybercriminal and the unsuspecting victim.

In-Person Social Engineering attack can also be referred to as Physical Social Engineering Attack. This type of social engineering attack entails the physical meeting or contact of both the attacker and the victim. The attacker elicits trusts and social conventions to manipulate the target, below are notable methods of such attacks.

Methods of In-Person Social Engineering Attack

  • Shoulder surfing
  • Quid pro Quo
  • Pretexting
  • Diversion Theft
  • Tailgating
  • Reverse Social Engineering

SHOULDER SURFING

In this type of physical social engineering attack, the victim(s) are covertly observed as they enter their passwords and other sensitive data. The most common method of this is peeking over the shoulder, others include using devices such as binoculars and spy cameras.

How To Prevent Shoulder Surfing

  • Sit out of view when in public and if there is need to use your device, sit against a wall and away from crowds.
  • Block vantage point by using an object to block the view of the person close to you from seeing your screen or keypads.
  • Demand for privacy; if possible, demand that you should be given space to be alone with your device.
  • Use devices that have keypad covering and peek proof, or inspect your surroundings for hidden cameras

QUID PRO QUO

This is known as “something-for-something-attack”. This attack harnesses the law of psychological reciprocity, where the attacker offers the victims a service in exchange for information. Quid Pro Quo attacks are very harmful because they can lead to disastrous consequences such as Ransomware, loss of trade secrets and even loss of jobs for the employee involved.

How To Prevent Quid Pro Quo

  • Endeavour to participate in Security awareness training that focuses on social engineering techniques and other cyber threats.
  • Never give personal or account information.
  • Always realize that there is no free lunch, mentally train yourself to be wary of freebies

PRETEXTING

Pretexting is obtaining information by false pretense. The attacker frames a backstory that is believable to the victim, which in turn causes the victim to release confidential information. Often, for pretexting to be effective, extensive research must be done on the victim and his environment. A good example is when someone poses as a government official with a “legitimate” identity card (ID) and asks to register you for NIN. Unknown to you, he is a fake. In this scenario, the imposter is trying to get your information (NIN) by pretexting. He/she tries to gain your trust by showing you a fake ID. In this instance, the imposter is using a pretense to attempt to obtain your information. By displaying the fake ID, he or she hopes to win your trust.

How To Prevent Pretexting

  • Educate yourself about pretexting by reading literature that covers actual pretexting incidents
  • Always seek to authenticate identities and the information you are presented with through another means. For example, calling an organization to verify if an individual truly works with them.
  • Familiarize yourself with organizational policies and procedures and never contravene them. If asked by a superior, make sure the request is truly from them and is documented and approved by Human Resources.

DIVERSION THEFT

This is one of the social engineering methods booming in the present age of placing online orders and taking deliveries. Diversion Theft is the process where a fraudulent person deceives an individual or company into delivering goods to the wrong address where they are tampered with. In some cases, tracking devices are implanted, placing the final recipients and original owners at risk of being monitored and putting their lives and properties in danger.

Attackers use this to steal goods, services or deliver fake, hacked, or infected goods to unwary customers.

How To Prevent Diversion Theft

  • Use couriers with a powerful reputation for security
  • Use couriers that offer package delivery monitoring, whereby you can see the delivery status with current route
  • When your order is about to be delivered, always ask for the courier’s ID and contact the organization to ensure that it is the original one.

TAILGATING

Tailgating is the practice of closely pursuing an authorized individual into a space with limited access. For instance, a threat actor might seize the door as it is about to close behind an employee or strike up a conversation in the parking lot and walk with the employee to the front door, out of courtesy the employee might hold the door open after opening it with his access card.

Tailgating poses a serious threat to data and equipment. Threat actors that tailgate can steal expensive items or leak confidential data. They can implant malware or install spyware on business systems.

How To Prevent Tailgating

  • Installing access controls for entrances and restricted areas.
  • Use of turnstiles and biometric scanners to stop people from following or strolling alongside an authorized person within a building or business.
  • Employees must be required to wear clearly visible photo IDs and visitors must be required to wear badges.
  • Monitoring an environment through cameras and other surveillance equipment
  • Security personnel should be used to man entrances and directed to observe and report strangers lurking around
  • Use of Photosensors, laser sensors, and mantraps: can limit entry to a single person at a time, preventing someone from following them and entering an area they are not authorized to enter.

REVERSE SOCIAL ENGINEERING

In this method a hacker causes a problem and then pretends to proffer a solution and uses that as leverage to access information or carry out some other unauthorized activity. For instance, a hacker might use a device to flood a Wireless Access Point so the target will have a bad internet connection, then the hacker would claim to be from Technical Support and has come to fix the situation. As soon as the target gives the hacker access to his PC, the hacker turns off the device causing the issue but plants malware on the target system. The target thanks the hacker for getting his system back online, unbeknownst to him that there is now malware on his PC

How To Prevent Reverse Social Engineering Attacks

  • Escalate issues to the appropriate channels and do not accept assistance outside these channels
  • Do not accept assistance from strangers
  • Always confirm the identity of support staff by calling their organization
  • Attending security awareness training that focuses on Reverse Social Engineering

In conclusion, most In-person social engineering attacks hinges on the establishment of trust between the victim and the attacker. As such learn to be more skeptical, and always stop to think when requested to act.

Contributors

  • Hassanat Kehinde Obanla
  • Abasiama Emmanuel Udo
  • Blessing Ojima Edwin

More To Explore

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

#nogofallmaga

...Catalyzing digital fraud decline

connect@nogofallmaga.org
+2348141969381

The Waterside, 5 Admiralty Road, off Admiralty Way, Lekki Phase 1, Lagos

Keep in touch