By Milica D. Djekic

During the time, the people would always try to get what some individuals being the part of some group would assume as so confidential to them. Such a group of persons could be some organization, enterprise or any business coping with so vitally important data. From today’s perspective, we would not talk about social engineering as a common activity to obtain some valuable information from the public and private sector, but rather mention how it works if you want to make a touch and take advantage of the details belonging to some threat’s asset. Nowadays the people would get fed up from so annoying phone calls, correspondences and in-person approaches that would give you the chance to skillfully gather some intelligence and assure access to some institution mainly in a cyber fashion. Let’s try to change our perspective and imagine that we are not the victims of the carefully planned social engineering attacks, but rather someone who would go for hunting for so significant information.

Maybe these sorts of tactics would get so well-known in the state-sponsored attacks, but let’s try to imagine how it would function if we would apply a similar approach to so threatening transnational crime and terrorist groups. The good question here would how those bad guys would react on so innocent phone calls or so naive e-mail communications. Knowing the psychology of the criminals – we could guess that those folks could get somehow embarrassed with such an approach, but let’s say if we talk about the cybercrime gangs – they would probably take such a challenge. In addition, it’s quite interesting to suggest that the huge advantage of the modern security sector is a technology that would give us an opportunity to smoothly investigate what it is happening somewhere. In other words, let’s make our story a bit reverse and let’s attempt to take the hunter’s role and chase our threat in so proactive way.

What is social engineering?

The first word we would get in mind when we say social engineering is the skill to obtain some sensitive information relying on communications, empathy and interpersonal abilities. The good trick with such a skill is that the victim would not get at that moment that he was under the attack and so many social engineers would use the vulnerabilities of the ordinary people who would always try to deal in so nice, supportive and friendly manner in order to help someone getting satisfied with their service and positive attitude. In so many cases, the people being that helpful could feel the personal joy for assisting someone to get his problem is resolved. So, if you resolve someone’s concern you would undoubtedly demonstrate your skill and effectiveness and you would possibly get pleased how greatly you are professional and deep inside you would believe that the other people would see you like the quite bright person. From our point of view, such ego bait could be the ultimate engine to many people to get so helpful and supportive for a reason they would leave a good impression on their surroundings.

So, your personal weaknesses would make you talk in front of predatory dangerous attackers and the good point here is if we could notice those vulnerabilities with the bad guys who would also be so sensitive to their egocentric needs. Indeed, social engineering could be a quite useful deception technique and tactic, so if we confirm that the malicious actors could also get targeted with such a strategy – we could talk about the quite new game between the cat and the mouse. Well, the good hackers are commonly the brilliant social engineers and once they make someone shares something getting so confidential – they would try to gain access to his IT system or the entire organization. The experience would indicate that so many bad guys’ groups would deal as an enterprise and so frequently they would get registered as some firm or company that would cope with the websites, social media channels and the other ways of the communications. On the other hand, it would appear that the era of the smart guys sitting in some dark room and literally spending all their time in front of the screen got behind us and the cybercriminals of today could get active anywhere and anytime. Apparently, the cybercrime syndicates could believe they could get less visible to the authorities if they register as some business that would not surprisingly pay the tax to the state.

The techniques and approaches of attack

In the practice, there could be a wide spectrum of attacks to the public and private infrastructure as well as the opponent countries that should get seriously affected by those operations. As it’s pretty well-known, the majority of e-mail addresses could get tracked online and once we confirm some e-mail location exists – we could try to prepare so skillful campaign in order to take advantage of our target. So obvious weakness in anyone’s e-mail correspondence got his signature that could include both landline and cell phone numbers making such a detail getting traced using the emerging technological solutions. The people of today would get the habit to live in so free and open environment that would encourage them to share all they have with the rest of the community.

The adequate question here could be who we could trust. The point is if you send your e-mail to someone you do not know well enough – you should get aware that the details as your postal address, phone numbers, position in the hierarchy and social media accounts could get so annoying to you sooner or later. In other words, all this information could get used to cause the disadvantage and even the harm to you or anyone being so close to you. Everything could start as the lovely phone call that would request kindly from you to give your e-mail address in order to receive some so nice promotional material and once you take such a hook – you would certainly get in trouble. Even worse – the real nightmare would appear once you begin responding to such correspondence and leaving so many details about yourself and your organization, so far.

How to protect yourself from those offenses?

Once you receive the phone call from someone you are not confident in – you should think twice before you make a decision to show the brilliance of your mind. The call center operator could get so nice, friendly and approachable even if he conducts some security quizzing before he makes the decision to provide certain information on. For instance, you can always say that you must follow some security procedure and so kindly ask the caller for his contact details which could serve for sending some kind of response on his account. It can take several minutes to confirm all the claims you got from your friendly caller and once you get confident that person is not a threat to anyone – you could reply to his request. Otherwise, just ignore such a call and try to prepare the skillful report to someone being the authority in such a case.

Your opponents are getting more and more innovative

The fact is the social engineering is the area that would cope with a lot of innovations and even you are confident you know everything about such a field – think twice. In case you need to collect some information on the criminal group being under the investigation using such a skill – you should know that the only stuff you need in that sense is the skill by itself. If there is a certain need for the social engineers in the investigative process – you should count on the staff who are well-trained and who got some real experience through the intelligent exercises. It does not matter how many attempts you would make – you should always know that your technique could get always improved. A series of the improvements would support you in getting more innovative and only with such a weapon in your hands – you would get capable to go a step ahead of your opponent. Do not believe that your enemies would just sit and wait for things to happen. Far from that, they would create the options to themselves and so intelligently follow the tendencies in the field.

Some future perspectives

The point is the social engineering is the area that should get deeply researched and once we better understand the psychological mechanisms of the people being vulnerable to those kinds of attacks – we could further proceed with our investigation. Maybe some of the ongoing suggestions in such a field could seem so brilliant, but tomorrow they would appear as a matter of the past. The fact is you should always keep moving on if you want to stay on the surface and even if you are recognized as someone knowing a lot in such a branch – you should say to yourself that there are the heaps of people in this world who would also get so helpful ideas, so stay open to listen to so, maybe learn a bit and finally apply everything being so useful to your practical tasks.

About The Author

Milica D. Djekic is an Independent Researcher from Subotica, Republic of Serbia. She received her engineering background from the Faculty of Mechanical Engineering, University of Belgrade. She writes for some domestic and overseas presses and she is also the author of the book “The Internet of Things: Concept, Applications, and Security” being published in 2017 with the Lambert Academic Publishing. Milica is also a speaker with the BrightTALK expert’s channel and Cyber Security Summit Europe being held in 2016 as well as CyberCentral Summit 2019 being one of the most exclusive cyber defense events in Europe. She is the member of ASIS International since 2017 and contributor to the Australian Cyber Security Magazine since 2018. Milica’s research efforts are recognized with the Computer Emergency Response Team for the European Union (CERT-EU). Her fields of interest are cyber defense, technology, and business. Milica is a person with a disability.