Social Engineering
What is Social Engineering
Social engineering is about manipulating people and gaining their trust to obtain sensitive information from them or download malicious software on their devices. Social engineering is the most prevalent threat criminals use; almost every online fraud and cyber attack contains some kind of social engineering.
In this type of threat, the attackers exploit human errors, mistakes and lack of security awareness to achieve their objectives. So, it's crucial to stay up-to-date about common social engineering attacks you might encounter so you can protect yourself.
How Does Social Engineering Work?
Criminals use various techniques and methods to conduct social engineering depending on the type of fraud, the way of communicating with the victim and the information they have about the victim, such as the phone number and e-mail address.
Social engineering attacks may rely on simple techniques, such as eavesdropping on verbal communication, or utilize complex approaches, like phishing e-mails and caller ID spoofing, to perform the attack. In all cases, the attacker tends to motivate the user into compromising themselves since most social engineering attacks rely on direct communication between attackers and victims.
Criminals may execute social engineering to steal sensitive information from victims or install malicious software on victim's computing devices. In the latter case, criminals may masquerade as legitimate IT support personnel or a call centre agent and convince the victim to click on an attachment enclosed in a fraudulent e-mail, eventually accessing the victim's device.
The success of social engineering attacks depends on several factors to convince you to do a specific action, such as the criminal's capabilities, social skills and the amount of effort they invest. On the other hand, basic security hygiene helps you detect social engineering attacks and significantly reduces their success rate.
Types of Social Engineering Attacks
Here we explain the common methods used by social engineering attackers:
E-mail phishing
E-mail phishing is the most traditional means of phishing. The criminal sends a fake e-mail to the victim, claiming to be from a legitimate source such as your bank or a service provider. Usually, the phishing e-mails urge you to open an attachment containing a virus, click on a hyperlink directing you to a fake website that collects sensitive data, or reply with your password, OTP or card information.
SMS phishing
The attacker sends fraudulent SMS messages or mobile app messages that include fraudulent web links or a prompt to send back your sensitive details.
Phone phishing
This method relies on communicating directly with you via phone or voice messages. The attacker may masquerade the identity of a call centre agent or somebody from the bank; such details are freely available on the internet. In other cases, the attacker may use
an automated call system to record all your inputs. In all cases, the attacker aims to get your sensitive data such as passwords, TOTP and card data. In other scams, the criminal may communicate with you over mobile messaging applications such as WhatsApp.
To increase trust, fraudsters are using Caller ID spoofing tools to display the call centre's legitimate phone number on your phone when calling you.
Baiting
Baiting is a social engineering attack designed to lure the victim into connecting a Malware-infected USB flash memory or a CD/DVD to the victim's laptop. Once connected, the a malicious software will infects the laptop, enabling the hacker to control it remotely.
Elicitation
The fraudster may involve you in a conversation to extract sensitive information from you directly face-to-face, over a phone call or through social media.
How To Protect Yourself from Social Engineering
We provide you with the following tips to protect yourself from social engineering attacks:
The golden role
Do not share sensitive information with anyone even if that person pretends to be one of INVESTBANK’s employees. Sensitive information includes, for example, your account’s password, credit card details, TOTP, and PIN. Remember! INVESTBANK will never ask for your sensitive information.
Does it make sense?
Use common sense to evaluate requests coming to you. If the request does not seem right to you, do not respond to it and report the case to the Contact Center. For example, If you are not used to receiving e-mail communication from INVESTBANK or phone calls requesting the TOTP, receiving one is unusual and should alert you about suspicious activities.
Usually, scammers use a sense of urgency to convince you to take immediate action; beware of such techniques and take your time verifying what is being requested.
Verify the source
Always verify the identity of the email sender or phone caller. For example, notice the sender's email and ensure it comes from a legitimate source.
Challenge the caller who is requesting information from you over the phone and ask for their identity and where they work; fraudsters will not be able to provide accurate responses. Validate identity of people communicating with you over the social media and social applications such as WhatsApp.
Avoid untrusted memory devices
Avoid using memory devices you do not trust such as USB Flash memory and CD/DVD drives and SD cards. If you receive such devices, verify the source and ask for their contents before you plug them in.
Validate the URLs you are visiting
Keep an eye on the URLs you are visiting. Type the web address (URL) into your browser rather than clicking on hyperlinks. Avoid visiting websites that show signs of security alerts.
Beware of phishing emails
In the emails you receive, be on the lookout for Spelling mistakes, incorrect grammar, poor design or fake hyperlinks. Hover your cursor over any links in the body of the email, if the links do not match the text that appears when hovering over them, the link may be spoofed.
Keep things to a minimum
Fraudsters use social platforms to collect information about you and use them in social engineering. Don't give out personal information such as your phone number and emails address to social networks and online forums.
Protect your devices
Use anti-virus software to protect your devices.
For any inquiries or to report suspicious fraudulent attempts please call our Contact Center.
