Lessons I Learnt From Social Engineering Attack
Social Engineering is a scheme used to deceive a victim to get the information needed using human psychology. Humans can easily get caught red-handed once their perpetrators obtain the information. Popularised by famous hacker Kevin Mitnick in the 90s, the act itself has been around ever since con artists existed. Over time, it has adapted to the kind of platform their victims are using, and through it, they skilfully plan their game towards successful deceit.
So how is my information being obtained?
Since we are digitally connected now, it is easy to target people through social media platforms, some uses email and others through online chat rooms. However, some are victimised via traditional means — the phone call.
Let me tell you a story.
A little background about the target is that she loves to do online shopping and saves her details online. One day this woman received a phone call from an impersonator who claimed that he was working for a bank. He bombarded her with her personal information which he gathered online, convincing her with compelling offers. Enticed, the woman agreed, allowing the impersonator to acquire all the information on-hand through online selling. The lady was pretty convinced that the caller is a personnel of the bank. So, while on call, the perpetrator was already using her card details and was further able to get a One Time Pin (OTP) by convincing her that the OTP was the confirmation number for the programme she thought she was enrolling herself into. This allowed the man to complete three transactions successfully. As for the credit card owner, when she checked online to see the balance, she was definitely in awe, at the same time perplexed, dismayed and raged by the circumstances.
So, what can we learn from here?
1. Be vigilant at all times
Bank employees will never ask for a One Time Pin, especially if it is being asked over the phone. With this kind of offer or transaction, they usually request you to either go to the bank or by doing self-serve. Also, if you're uncomfortable with somebody else asking for personal details, don't give it. Listen to that small voice inside your head or be sorry in the long run.
2. Avoid displaying personal on social media
To get your details, one could either hack your social media account or through the free information provided by search engines. Note that social media is a gateway for identity theft.
Let's say you've got a Facebook or LinkedIn account and you didn't change your privacy settings, and all your information is set to Public. You created a post stating that you are travelling with your companions and your pet. Every name mentioned on that post will also be set to Public, and use it to guess a possible password for your account. Studies show that most passwords are related to children's name, birthdate, and pets. Try not to make it vulnerable.
Social engineering and identity theft usually go together. Don't get lured into offers that are nice without knowing what the end result will be. Because at times, what was alluring at first will turn out to be a nightmare.
Always remember to be vigilant in everything: a phone call offer or an unsolicited email is something you would want to think of and not react on impulsively. Have a clear mind when being in these situations and not immediately fall for the perpetrator's plans.
There's a lot of risks when you're already at this situation. If you have already given the details, change your email address right away, your password or maybe even changing your maiden name as this is usually part of a security question that may break your account. Also, do not save any personal details that you put online. It's best to be sceptical on these things rather than to be fooled and be sorry in the end. The amount that will be taken away from your account will never be the institution's responsibility; it will always be pointed back to you. Stay aware that the internet is public property.