Securing Personal Data From Social Engineering Attacks

Can you believe that criminals were able to steal $5 billion worldwide from 2013 to 2016 using fear, curiosity, and psychological manipulation? If you don’t, you better, because it is true. These criminals aren’t your run off the mill pickpockets but cybercriminals adept at social engineering (more on this later). Social engineering has proven as an effective means through which cybercriminals gain credentials and access troves of data. Consequently, we will be focusing on social engineering attacks in this article and how you can protect your personal data from the various types of these attacks. But before we jump right into social engineering, it will be necessary to understand personal data and why it is appealing to cybercriminals.

What is Personal Data?

 Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Examples of personal data

• a name and surname;
• a home address;
• an email address such as name.surname@company.com;
• Phone number
• an identification card number;
• location data (for example the location data function on a mobile phone)*;
• an Internet Protocol (IP) address;
• a cookie ID*;
• the advertising identifier of your phone;
• Bank account number;
• data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

 Why is Personal data important?

Okay, so now you understand what personal data is, but why is this stuff important? What’s the big deal if it were to fall into the hand of a cybercriminal?  

The different ways cybercriminals can use personal data

Cybercriminals go after personal data because they have created various uses for them. Below are a few of the ways cybercriminals use stolen personal information:

1. Identity fraud, apply loans, file fraudulent tax returns
2. Create counterfeit cards, pay bills, transfer money
3. Use information for blackmail, hacktivism
4. Launch spam/phishing attacks

How much is your Personal Information Worth?

Credentials and personal data like passwords, usernames, Social Security numbers, and more are worth huge sums (in dollars) in illegal markets (the dark and deep web).

Typically, when accounts are hacked, criminals will often attempt to sell this information on the Dark Web; a place where only those on the anonymity network, Tor, can access it. Most information that’s stolen consists of personally identifiable information and financial data, but hackers will often be content with making off with anything they possibly can. The most common industries targeted by these hackers are healthcare, government, retail, and education, but it should be mentioned that all businesses are susceptible to data theft of any kind.

Below are some figures provided by privacyaffairs.com on how much personal information can be sold for on the Dark Web.

What is Social Engineering?

Now that you understand personal data and why cybercriminals want it, we can turn our attention to social engineering. This can be referred to as human hacking where cyber-attackers use psychological manipulation taking advantage of human vulnerabilities to trick users into breaking standard security practices into giving away sensitive information and to also gain access to systems, finances, and/or data.

This can either be done in person, over the phone, via email, or by a range of other techniques.

Social engineering attacks such as phishing and pre-texting are some of the most common cyber-attacks used on organizations and individuals alike.

Social engineering is not a new phenomenon. One of the more infamous hackers, Kevin Mitnick, did an interview back in 2002 where he stated that he found it was “easier to manipulate people rather than technology” and that most organizations overlook the human element.

SOCIAL ENGINEERING ATTACKS USED TO OBTAIN PERSONAL INFORMATION

Now we will cover several popular social engineering attacks, carefully read through to gain an understanding of what they are and how they can be used to obtain personal information.

1. Phishing

Phishing is the most common type of social engineering attack that occurs today. But what is it exactly? At a high level, most phishing scams endeavor to accomplish three things:

• Obtain personal information such as names, addresses, and Social Security Numbers.
• Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages.
• Incorporate threats, fear, and a sense of urgency in an attempt to manipulate the user into responding quickly.

No two phishing emails are the same. There are actually at least six different sub-categories of phishing attacks. Additionally, we all know some are poorly crafted to the extent that their messages suffer from spelling and grammar errors. Even so, these emails usually have the same goal of using fake websites or forms to steal user login credentials and other personal data.

How to protect yourself

• Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at a much lower risk of getting snared by one.
• Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. Most phishing emails will start with “Dear Customer” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
• Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it.

• Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “HTTPS” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links that may lead users to a phishing webpage that offers low-cost products.

• Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check-in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

• Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

• Use Firewalls – High-quality firewalls act as buffers between you, your computer, and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.

2. Spear Phishing

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

This is how it works: An email arrives, apparently from a trustworthy source, but instead, it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims’ attention. For example, the FBI has warned of spear phishing scams where the emails appeared to be from the National Center for Missing and Exploited Children.

Many times, government-sponsored hackers and hacktivists are behind these attacks.

Cybercriminals do the same with the intention to resell confidential data to governments and private companies. These cybercriminals employ individually designed approaches and social engineering techniques to effectively personalize messages and websites. As a result, even high-ranking targets within organizations, like top executives, can find themselves opening emails they thought were safe. That slip-up enables cybercriminals to steal the data they need in order to attack their networks.

How to protect yourself

To fight spear phishing scams, you need to be aware of the threats, such as the possibility of bogus emails landing in your inbox. Besides education, technology that focuses on email security is necessary.

3. Vishing

 Vishing, also called voice phishing is impersonation over the phone to gather personal and financial information from a target. For instance, a scammer contacts you pretending to be from your bank, through phone calls or text messages. They can claim there had been suspicious activity on your card and they want to confirm the transactions with you or there was a technical error that wiped out customers’ data, and they need to confirm your details in order to connect back your card.

How to protect yourself

• Beware of unsolicited calls. Once it is not someone you know or a response to an inquiry you initiated, be suspicious.
• Always remember that a Bank will not ask you for sensitive information such as the numbers on the front and back of your card or your pin.
• If you receive a call concerning your card, hang up. If it is a text message do not respond. Instead, check the back of your card for a customer service phone number, and call that number to confirm if the previous communication was from them or if there is an issue with your card.
• Use a caller identification application such as TrueCaller. Such applications can identify numbers used by scammers. Also, note that some of these applications are notorious for privacy issues, so if you must use them, open a new email address and use it to register for their service. Then use their web interface to research numbers instead of installing the application on your phone.

4. Baiting

Baiting is like the real-world ‘Trojan Horse’ that uses physical media and relies on the curiosity or greed of the victim. It’s in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads if they surrender their login credentials to a certain site. Given from the word “bait” used to lure animals and distract them, like taking care of the rat situation in your home by setting up a bait trap to lure the rat to their demise.

The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—inconspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.

How  to protect yourself

The best form of protection against baiting is to pay attention and think critically.  Ask yourself questions such as, why is this thing free? If someone found a USB stick belonging to me would I want them to look at the contents? Always be wary of anything being offered or gotten free.

• Scareware

This attempts to trick you into thinking there is a problem with your device. It usually occurs when you are surfing the net and get redirected to a shady website. You start seeing pop-ups saying there is a virus on your device or several problems have been found with your device. The warning comes with an option to download software to fix the issues or call a customer support number. The goal is to get you to purchase useless software or install a malicious program that would steal sensitive information from your device.

How to protect yourself.

• Resist the urge to click. If you receive a warning about a new virus and you’re invited to download free software know that it is almost certainly a scam.
• Trust only known and tested antivirus products.
• Use software products that can block pop-ups, either as browser plugins or in your antivirus.

In conclusion, practicing good cyber-hygiene can help to reduce your exposure to social engineering. For example, if you encrypt all your data and use another account that doesn’t have administrator privileges, your data may remain safe even in the event that a criminal social engineer finds his way into your account. Likewise, not responding to suspicious emails or providing information to potential scammers who solicit it can help prevent all sorts of social engineering attacks.

Contributors:

Wale Osoba, Oghenetega Okukulabe, Subomi Lawson and George Kaduru