For the time being, the only effective way to protect yourself from social engineering-related fraud is through knowledge of basic social engineering techniques that can be used against you or your company.
Social engineering techniques
Social engineering takes advantage of the human factor in technological systems, as the involvement of humans represents a weakness and a potential security risk. The most widely spread techniques are:
Pretexting
Pretexting implies the creation of a pretext or scenario in order to persuade a person to give specific details by impersonating a legitimate source. This technique is usually carried out over the telephone and targets junior staff, as this group are seen as more likely to give away corporate data.
Phishing
Phishing is commonly associated with e-mails that have similar or identical appearances to legitimate businesses that people are likely to trust, such as banks or credit card companies. The e-mail often warns the receiver that a verification or password change is needed. By clicking on a link provided by this kind of e-mail, the user is redirected to a fraudulent website where they will be lured into giving away their username and password - information that will subsequently be used by the hacker.
Trojan Horse
The Trojan Horse requires the user to execute a malicious application - such as a virus or spyware - without their knowledge. The Trojan Horse normally comes in the form of an e-mail from a familiar source, inviting the user to download recreational products like free screensavers or cheeky videos.
Attacks on Web 2.0 sites
Social engineering attacks on some Web 2.0 websites have already hit the press. In December 2006, people became aware of a phishing scam on MySpace.com. The affected users were contacted via AOL Instant Messenger and provided with a link similar in appearance to MySpace.com, through which they could enter their login details. This data was then stored for fraudulent purposes on a server located in California. There are allegedly still more than 3,000 fake MySpace.com login websites out there.
You may still think that Social Engineering is not an important issue and that it will not affect you - but think twice. The FBI estimates that businesses lose over $67 billion a year through cybercrime. Consumer Reports estimates that individual users lost $8 billion in the past two years when affected by viruses, spyware and other Internet scams.
If you don't want to be a victim of social engineering scams, simply follow some basic rules. Make sure that you don't give out any personal or corporate information via telephone or e-mail unless you're absolutely sure with whom you're corresponding. Furthermore, don't release any banking details via email, and don't follow links to banking websites from an email - always re-type the URL yourself. Lastly, always report any attempted attacks you receive. Following these rules will do much to protect yourself from any future social engineering attacks.
