Journal of Information Technology and Sciences

Volume 5 Issue 1

Social Engineering: A Technique for Managing Human Behavior

Neetu Bansla1*, Swati Kunwar2, Khushboo Gupta1
1
Assistant Professor, Department of CSE, VCE, Meerut, UP, India
2
Assistant Professor, Department of AS, VCE, Meerut, UP, India
Email:[email protected]
DOI:

Abstract
Social engineering uses human behavior instead of technical measures for exploring systems,
differentdata, thingsthat are of any profitable use. This piece of research gives a briefing on
how human mind is capable of invading into crucial systems or capturing useful information
regarding people or organizations. Certain defense mechanisms and preventive measures are
also covered in this paper. Social engineering is a human behavior based technique for
hacking & luring people for sneaking into someone’s security system. Since social
engineering relies heavily on human behavior, no hardware or equipment can be made to
stop the losses, which arise as a result of human interaction. Therefore, certain good
practices are suggested.Moreover, the purpose is to create awareness and study the impact of
social engineering on the society.

Keywords:Social engineering, data, human, information

INTRODUCTION person‘s personal details & bank account

A simple definition of social engineering details. Legitimacy of a message can be
says that it is a non-technical way of often verified by checking the domain
thrashing someone‘s security system & name of the source or the sender.
stealing the crucial stuff like any data or
information. Sometimes social engineering Social engineering is a multistep process.
can also be considered as a way of Firstly, the necessary information about
spoofing someone‘s identity thereby the target is gathered such as weak security
creating a bluff. Often people are mistaken points, possible ways of entry,
for taking human interactions lightly & individualbackground. After that the
share their key information with other attacker plans for the attack by gaining
persons, who can be known or unknown. victims trust & provide stimuli for
So far only some preventive measures are subsequent actions for breaking security
suggested like-use of strong passwords, measures thereby revealing sensitive
two factor authentications, not sharing of information or giving access to restricted
passwords. [1][2].Social engineering is resources [2].Issues like social engineering
difficult to handle as it is an uncommon attacks can be avoided by retaining high
way of breaching into someone‘s system level of awareness and vigilance towards
as it relies heavily on trickery & forgeries and identity spoofing in the name
psychological manipulation rather than of social human interactions. Based on a
technical counter measures[1][3][16]. specific type, the social engineering
Moreover, a skeptical message or email attacks are categorized in various classes
should be avoided which asks for a discussed further in this paper.

18 Page 18-22 © MAT Journals 2019. All Rights Reserved

 Journal of Information Technology and Sciences
Volume 5 Issue 1

Figure 1: Social Engineering Life Cycle

SOCIAL ENGINEERING ATTACK BaitingBaiting involves a faulty assurance

TECHNIQUES to stimulate provoke the targeted person‘s
Social engineering attacks can be material or curiosity. This scheme
accomplished in any place which has persuades the users in such a way that they
human interaction involved as it has confine them and steal all their vital data
divergent or various forms. The five or impose a malware in their system.
subsequent occurring of digital social Physical Media is the savage form of
engineering strikes are: Baiting which is used to diffuse the
malicious malware in the system. The
Phishing- These schemes are the emails targeted person clicks the bait because of
and text messages whose main concern is his/her curiosity and then places it in work
to promote a sense of seriousness, or home computer evolving it in automatic
necessity, strangeness or panic in the installation of malware. Tempting and
targeted person. It is famous social Attractive advertisements which guides to
engineering strike. This scheme prompts harmful sites or urges the users to
them to disclose or release vital download a malware- infected application
information by opening links to hostile are the online form of Baiting Scheme.
websites or clicking attachments that
accommodate malware. In Phishing ScarewareThis scheme includes the
technique the homogeneous messages are victims who are flooded with flawed panic
sent to all users. [4]. and counterfeit ultimatum. Scareware is
also mentioned as deceitful software or
Spear Phishing-This is the more focused fraudware. It is diffused through spam
version of the phishing scheme as in this emails which doles out fraudulent threats
the striker selects certain people or or create offers for users to buy harmful
companies. Spear phishing technique services. Users are mislead to believe that
needs more attempts on part of the striker their system is damaged by the malware,
and it may take a considerate time as to persuading them to instate software that
pull this scheme off. These schemes are has no benefit to the person but the striker
done expertly therefore making them or it is a malicious malware itself.
mostly undetectable. In this the striker
customizes the messages established on PretextingThe scheme is initiated by a
features, job positions and contact person pretending to need crucial
possession of the targeted person as to information from a sufferer as to carry out
make the attack less noticeable or an evaluative task. The striker obtains data
observable [4]. through ingenious crafted lies. He/she

19 Page 18-22 © MAT Journals 2019. All Rights Reserved

 Journal of Information Technology and Sciences
Volume 5 Issue 1

interrogates in such a way that sufferer‘s also may lead to sudden decisions being
identity is confirmed and through this they taken due to fear of an untoward incident.
assemble the crucial data. The striker
begins by developing as a co-worker, Playing on user’s Sympathy: The social
police, tax officials who have the authority engineer may make-believe to be an
to know things. [4]. employee from outside, perhaps from the
phone company or the company's ISP-
TYPES OF SOCIAL ENGINEERING Internet service provider. Nature of people
SKILLS is to help a person who is in trouble [9].
Following are the few Skills to exploits
user to get access to your system. Creating Confusion: Another trick
involves first creating a problem and then
Impersonating Staff: This is an art of taking advantage of it. It can be as simple
discovering situation to convince a target, as setting off a fire alarm so that everyone
which can be a person or a computer to will vacate the area quickly, without
release information or perform an action. locking down his or her computers. Social
This is conducted mostly via telephone or engineers can then use a logged-on session
emails. Most influential and danger hoax to do their dirty work [10] [14].
for attainment of physical access to any
system is to pretend to be somebody from Reverse Social Engineering: An even
inside the corporation. Some users may trickier practice of social engineering take
gave their password to a "unfamiliar place when a social engineer gets and
person‖ on a phone call, thinking him to be makes others to ask him or her questions
the member of IT staff. This is specifically instead of questioning them. These social
true if the caller indicates that their engineers usually have to do a lot of
account may be restricted/disabled and that planning, preparation, scheduling,
they might not be able to access important forecasting, research and investigation to
e-mails or access needed network shares if pull it off, placing themselves in a position
they do not cooperate. It is the most time of seeming authority or expertise [11].
consuming attack as it requires
investigation and research to get data and Mail: The use of an interesting subject line
information regarding target to establish triggers and activates an emotion that may
the legality in the mind of target[8][9]. leads to accidental participation from the
social engineer. There are two common
Intimidation Strategies: In this case, the forms. The first involves malicious code;
social engineer tries to pretend as this code is usually hidden within a file
somebody important like a big boss from attached to an email. The intention is
headquarters, an inspector from the explained in an International journal of
government, a top client of the company, computer [5] [12] for improving QoS of
or someone else who can assault fear into routing protocols in Mobile ad hoc
the heart of regular employees. He or she networks.
comes storming/raid in, or calls the victim
up, already screaming, yelling, angry, Dumpster Diving: Someone from the
irritated or annoyed. They may also company throwing away junk mail or
threaten the employee to fire if they do not routine mail / letter of the company
get the information they need [9] [14] [17]. without ripping the document. If the mail
contained personal information, or credit
Hoaxing: A hoax is an effort or attempt to card offers, that dumpster diver could use
trick and pretend the individuals into to carry out identity theft. Dumpster diver
trusting somewhat ―false‖ are ―real‖. It also searches for information like company

20 Page 18-22 © MAT Journals 2019. All Rights Reserved

 Journal of Information Technology and Sciences
Volume 5 Issue 1

organization chart, who reports to whom, Keep your antivirus/ antimalware

especially management level employee software updated – Be certain that your
who can be impersonated to hack automatic updations are active or make
important detail. Dumpster diving sure to download the updated signatures
information can be used in impersonation first every day. Regular verification should
attack [10] [11]. be checked to ensure the application of
updates is done then scan to find the
SOCIAL ENGINEERING possible infections. [6].
PREVENTION
Social engineers influence human Anti-Phishing Tools-The use of this tool
emotions such as peculiarity or panic to attach to a database of blacklisted phishing
proceed the schemes and lure the victims websites is suggested. These tools are
in their confines. Hence always be unable to give full security as the phishing
cautious whenever you sense distress by sites are cheap, simple to construct and
an email, tempting to an offer which is lifetime is of few days. The examples are:
exhibited on a website or when we come Web sense, McAfee‘s anti–phishing filter,
over random digital media lying about. Netcraft anti-phishing system and
Our attentive existence can assist us in Microsoft Phishing Filter.
shielding our self in case of social
engineering attacks in digital world. Strong Passwords- Maintaining a strong
Subsequent points assist us to enhance our password and changing periodically
surveillance in relation to social should be ensured by individuals
engineering hacks. [5]. themselves. Same passwords for all
accounts are not recommended at all as the
Don’t open emails and attachments security is at risk. Some crucial data is
from suspicious sources – The email kept in phones by some people so make
addresses are bluffed all the time, an email sure they have passwords in them.
supposedly approaching from a reliable Compliance on office network should be
source may have actually been assured by the organization.
commenced by an attacker. Never reply an
email whose sender you don‘t know and if Education and Training- This includes
you are acquainted but are doubtful about progressing security awareness and
their messages, verify and authenticate the training programs to develop employees in
news from other sources like telephones or approaches to resist social engineering. It
service provider‘s site, etc.[5]. should involve periodic prompting about
the essentials of security consciousness.
Use Multifactor Authentication: One of
the possessions attackers pursues isuser‘s CONCLUSION
credentials. Therefore use multiple Information security is very significant in
verifications which guarantee the present-day scenario. Moreover, the safety
account‘s insurance in the case of system about information is continuously
compromise. improving, the one fragile fact is that the
human being who is susceptible to use
Be Wary of Tempting Offers: if you get such methods and techniques. The social
an offer which is too tempting or attractive engineering attacks concentrations on
you need to think many times before attacking the human behavior with the
welcoming it. To verify whether you are purpose to achieve a specified goal; in this
dealing with a valid or credible offer or a case, it is to gain privileged and
trap, just GOOGLE it, it might help. confidential information. Social
engineering used different methods for

21 Page 18-22 © MAT Journals 2019. All Rights Reserved

 Journal of Information Technology and Sciences
Volume 5 Issue 1

avoiding performed security attack. http://www.sans.org/rr/papers/60/475.p

Psychosomatic attack and physical attack df
are type social engineering attack 9. Hu, Jim. "AOL boosts email security
technique [13]. This paper has highlighted after attack." CNET News. September
most fundamental social engineering 21, 2000. URL:
attacks and has stated the general counter- http://news.com.com/2102-1023_3-
measures for social engineering and 242092.html?tag=st_util_print
further more alleviation schemes can be in 10. CERT Coordination Center. "CERT
motivation. Advisory CA=1991-04 Social
Engineering". September 18, 1997.
REFERENCES URL:
1. Francois Mouton, Mercia M. Malany, http://www.cert.org/advisories/CA-
Louise Leenen and H.S. Venterz, 1991-04.html
―Social Engineering Attack 11. Granger, Sarah. "Social Engineering
Framework‖, IEEE/2014. Fundamentals, Part II: Combat
2. Aisha SuliamanAlazri, ―The Strategies". Security Focus. January
Awareness of Social engineering in 9,2002. URL:
Information Revolution: Techniques http://www.securityfocus.com/printabl
and Challenges‖, IEEE/2015. e/infocus/1533
3. Osuagwu E. U. and Chukwudebe G. A, 12. Granger, Sarah. "Social Engineering
Salihu T., Chukwudebe V. N., Fundamentals, Part I: Hacker Tactics".
―Mitigating Social Engineering for December 18, 2001.
Improved Cyber security‖, IEEE/2015. 13. National Cooperative Education
4. M. NazreenBanu et al, ―A Statistics Task Force. ―Protecting Your
Comprehensive Study of Phishing System Physical Security‖ 2002. URL:
Attacks‖/ (IJCSIT) International http://nces.ed.gov/pubs98/safetech/cha
Journal of Computer Science and pter5.asp (4 April 2003).
Information Technologies, Vol. 4 , 14. Mitnick, Kevin. The Art of Deception
2013, 783-786. – Controlling ―The Human Element
5. Chirillo, John. "Hack Attacks Denied" Security‖. Indianapolis: Wiley
A Complete Guide to Network Publishing Inc., 2002.
Lockdowns for UNIX, Windows, and 15. Gaudin, Sharon. ―How To Thwart The
Linux, Second Edition". Second Social Engineers‖ 10 May 2002. URL:
Edition". John Wiley & Sons, Inc. http://itmanagement.earthweb.com/sec
2002. u/article.php/1041161 (11 March
6. Heur, Richard. "Theft and Dumpster 2003).
diving". Defense Security Service 16. Burton, Graeme. ―Companies exposed
Academy. March 1996. URL: to ‗social engineers‘ — Mitnick‖ 4
http://www.mbay.net/~heuer/T3metho September 2002. URL:
d/Theft.htm http://www.infoconomy.com/pages/ne
7. Hillary, Bob. "SANs Security ws-andgossip/group66338.adp (11
Essentials". SANS Conference. July March 2003)
2003.
8. Robinson, Jarvis. "Internal Threat- Cite this article as:
Risks and Countermeasures". Version
1.0. November 15, 2001. URL:

22 Page 18-22 © MAT Journals 2019. All Rights Reserved