AbstractWhilebanks and companies race to harden their technical security defenses to avoidbeing hacked directly, criminals seek to target the humans who represent theweak spot.
Overall,social engineering is now used in an estimation of more than two-thirds of allcyberattacks. With the upcoming tactics and technologies, it appears as ifthings are about to get a whole lot worse. Because simply, most of the time,taking advantage of your natural desire to trust is easier than discovering orfinding ways to hack your software. In Addition, you don’t need programmingskills; all you need is communication skills or writing emails.Thispaper will start with a definition for each of social engineering, fraud,online fraud and why social engineering fraud is growing? Also, we will discussthe principles of social psychology and some applications or common socialengineering attacks. At the end, we will provide some advices to avoid becominga victim. ContentsAbstract 2I.Introduction.
4II.Problem Definition. 4III.Related Work. 5IV.Comparison and evaluation for the existing solutions. 7V.Discussion.
7VI.Conclusion. 7VII.References. 8 I. Introduction In Cambridgedictionary, as a business, fraud was defined as “the crime of getting money bytricking or deceiving people”. (1) The internet fraud refers to a fraudthat is tied by the.
Deceitful solicitations or transactions and transmittingthe proceeds of the fraud to a financial foundation are being managed andcommitted through the online services; it can be conducted in chat rooms,e-mail, and web sites.From the context ofinformation security, social engineering is defined as an art of psychologicalmanipulation of people so they could give up confidential information; itis also a type of confidencetrick for the purpose of information gathering, fraud, or system access. (2) II.
ProblemDefinition The InternationalCriminal Police Organization (Interpol) has identified the social engineeringfraud as one of the world’s emerging fraud trends. Few years ago, there was aspike in this type of fraud and by 2015 reported losses has reached to nearly$1bn, By comparison global credit card fraud was $16bn.Within the past 12months, about 60 percent of security leaders have admit that theirorganizations may have fallen victim to social engineering.
And 94 percent saytactics such as spear phishing and watering hole attacks represent significantthreats. (3)With the internetfacility and growth, having information on your target is a key part of social engineering;information can be bought through hacked company data so the criminals couldstudy their victim’s social media profile online.As social engineeringdepends mainly on psychological manipulation, we would like to mention thethree aspects of social psychology especially the psychology of persuasion. (4)1. Alternative routes to persuasionCriminals can convincevictims by saying some statement at the beginning of their interaction thattriggers strong emotions such as excitement or fear.
This way is mostly used infrauds that involve strong personal interaction, such as telemarketing fraud. Thisway forms a kind of victim distraction and it serve to interfere with his/herability to perform a logical thinking. 2. Attitudes and beliefsIt involves thevictim’s belief and attitude about the person soliciting his money over theinternet versus the criminal’s attitudes and beliefs about his intended oractual victims.3.
Persuasion and influence techniquesIn social psychology,there are many factors that are highly used to persuade or influence others.Here are some of them:· Authority:people are highly likely being responsive to assertions of authority, even whenthe person who purports to be in a position of authority is not physicallypresent.· Scarcity:when an advertisement says that this product or offer is for a limited timeonly.
· Likingand similarity: by the human tendency, having similarities in characteristicsidentical with someone or sharing the same interests provides a strongincentive for us to adopt a mental shortcut in dealing with that person, onlybecause of that matching. III. Related Work Securityprofessionals say that the human, who trusts people easily, is the weakest linkin the security chain. Without checking legitimacy, it would be very easy toget exposed to any risk. As we have read in articles and papers, here are someof the common social engineering attacks:1.
Creatingdistrust: It is often done by people who had a fight with you, but it also canbe done by nasty people. Their next step is to step in as a hero and gain yourtrust by creating distrust in your mind about others, in this way they can extortionistsor threaten you with disclosure. Trying to guess weak passwords, social engineeringor hacking helps them accomplish an access to your email or any social mediaaccount and then altering private or sensitive data such as images, videos andaudio. These personal information or data can be forwarded to your friends orfamily members to create drama and embarrassment. 2. Response to aquestion you never had: You will receive an email, phone call or a message thatis pretending to be a response for your help request from a company that isused by millions of people like a bank or a software company.
You might ignoreit if you are not interested or you don’t use the mentioned service, but thereis a chance that you will respond because you need that service or product. 3. Baitingscenarios: It is very similar to phishing attacks and it is based on the peopleneeds, if you offered something that people want, many of them will take thebait.
This kind of attack is popular on websites offering to download somethingor on social networking sites. Malicious software can infect the people whotake the bit. An example of a baiting scenario is shown in Figure (1).IV. Comparison and evaluation for the existing solutions.Social engineering attacks are becoming more popular, the criminal’simagination is the only limit to the number of ways they can socially engineervictims and users. Everyone might get exposed to social engineering attack andwe would like to mention some advices to help you avoid becoming a victim:1. If you receive asuspicious email or message, do a small research using search engines to getthe real site of the company or their phone number and contact them to makesure of what you have received.
2. Don’t enter yourpersonal or financial information in any reply message, it is a scam.3. Ignore or rejectthe offers and requests for a help.
4. Download programsand applications from well-known companies only.5. Keep youranti-virus software up-to-date and use firewalls and email filters.6.
Help non-technicalfriends and family and aware them of these attacks.7. Use strong andcomplex passwords which doesn’t include any personal information and use the twofactor authentication. V. DiscussionSocial engineering is not necessarily considered unethical, there is agrey area. It is similar to the debate of hacking and ethical hacking; it alwaysdepends on the intention of the action maker. Seeking permissions and using theinformation to benefit, educate and aware the people will make socialengineering ethical.
Defining certain forces and principles that lie at the foundations ofcultural growth will assist social engineering become a respectable science,lows and rules can help in limiting the social engineering fraud but will notstop them. VI. ConclusionAs aconclusion, we would like to say that grey areas are not reasons to do socialengineering attacks, but ethics is not one of the criminals concern.
So youmust keep protecting yourself and be aware of websites you open and softwareyou download on your device. VII. References1. https://dictionary.cambridge.org/dictionary/english/social-engineering2. https://en.wikipedia.
org/wiki/Social_engineering_(security)3. https://www.threatmetrix.com/digital-identity-blog/cybersecurity/new-rise-social-engineering-fraud-stop/4. https://www.isoc.org/inet99/proceedings/3g/3g_2.