Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.
I am going to talk about a skim used by spammers to harvest for legitimate email address from your contact list. There are plenty of ways used to harvest emails, but the one I am focusing on is “Email forwarding”
Normally when you create an email account, you will start building contact list, containing email addresses of your friends, relatives, co-workers, etc. Over time, you will have a substantial number of contacts in your contact book.
“Forward” is a very handy function available in almost all email clients, this allows one to pass over the email to some other recipient. But something to note is; the forwarded mail includes the email address of the original sender and any other forwarded addresses of the same instance.
Email harvesting scenario
Say you are a GoodGuy with your email and 50 contacts on your mail account. The BadGuy sends you a mail with a very emotional religious message, or a very nice joke, or an irresistible offer to something that you are likely to fall for, and guilt’s you into forwarding to at least 10 friends including the badguy. And you end up doing that, with good faith. Now 10 friends from your contact will receive your humbled mail message, with the instructions to do the same, “forward to at least 10 friends”. At the same time the badguy receives a copy of any forward from the recursive senders.
Simply put, if you forward the mail to 10 contacts, and they do the same in good faith and the third circle does the same. “Roughly something like this happens”
1 + 10^1 + 10^2 + 10^3 approximately 1000 email contacts will have been harvested in just three circles, now this will keep growing depending on the number of forwards to the amount of contacts forwarded to. And then you and your friends start receiving some commercial mails from services that you never even visited or heard of. And you wonder how on earth they did they get my email. Well, you gave it to them; you actually helped them get even some of your friend’s emails.
This is the effect of social engineering, the mail will play with yourpsychological consciousness, and you will think you are doing a good thing to respond; in return you are falling for somebodies social engineering scam.
There is no software to fight social engineering attacks, because it is you that you will end up giving up information, or executing some processes, or allowing some application to do something on your private sensitive information. The important thing is to build awareness, change the culture of the way we operate and disclose sensitive information.
To avoid becoming a victim of a social engineering attack:
- Be suspicious of unsolicited contacted from individuals seeking internal organizational data or personal information.
- Do not provide personal information or passwords over email or on the phone.
- Do not provide information about your organization.
- Pay attention to website URLs that use a variation in spelling or a different domain (e.g., .com vs. .net).
- Verify a request’s authenticity by contacting the company directly.
- Install and maintain anti-virus software, firewalls, and email filters.
If you think you are a victim of a social engineering attack:
- Report the incident immediately.
- Contact your financial institution and monitor your account activity.
- Immediately change all of your passwords.
- Report the attack to the police, and file a report with the authority.