Preventing Social Engineering Attacks

0

Bank customers must be conscious of the risks that social engineering pose to their accounts, operations and reputation, writes Obinna Chima

With the level of sophistication of cyberthreats increasing by the day, the need for organisations and individuals to ensure that they defend against these types of attacks has once more been stressed.

Across the world, cybercriminals have long been using phishing and other social engineering methods to trick their victims into providing access to confidential data, such as passwords, social security numbers or account numbers.

In addition to the tried-and-true method of sending legitimate-looking e-mails to unsuspecting victims, cybercriminals are now using social media and other popular platforms to launch their attacks, Alejandro Mijares disclosed in a report published in Computerworld.

Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer. Criminals use social engineering tactics because it is usually easier to exploit bank customers’ natural inclination to trust than it is to discover ways to hack your software.

In Nigeria, the Central Bank of Nigeria (CBN) recently disclosed that social engineering has become rife in cybercrime attacks in Nigeria.
According to the central bank, almost on a daily basis, a plethora of messages are sent by these criminals with the express intent to con the unsuspecting recipient using techniques that appeal to vanity, greed or authority.

Therefore, the banking sector regulator stressed the need to look critically at measures that will protect the industry as a whole from the menace of social engineering attacks.

Regulation against Fraudsters
To this end, the CBN said it is working on a policy that would ensure that bank customers involved in electronic fraud are either blacklisted or placed on close surveillance.

The Director, Banking and Payment System, CBN, Mr. ‘Dipo Fatokun, said the Bank Verification Number (BVN) would also be used in identifying fraudsters in the industry.

“We are currently working on a framework using the BVN to eliminate fraudsters. One common thing about electronic fraud is that when money is moved from an account, it is moved into another bank account. So, identifying the owner of that fraudulent account using the BVN, we would not only be able to identify him or her in the bank in which he has moved the money to, we would also identify him in all the banks where he has accounts and when legal impediments are overcome, such people could be blacklisted or watch listed in the banking system.

“That would also assist us a great deal in curbing the menace of fraudsters. Opening account is a contract. If a bank notices that a particular customer is fraudulent or is a criminal, the bank has the right to get out it of the contract. And another implication is that if an account is watchlisted when the framework becomes operational, credit into such account would be withheld. This is because if we are able to watchlist, we will be able to apprehend and prosecute,” he added.

Fatokun said the world had been inundated with various news on Distributed Denial of Service (DDoS) attacks targeting various internet destinations such as Twitter, PayPal, CNN, The New York Times, among others. He said particularly worrisome was the fact that devices used to spread the malware were operated with default passwords which made it easy for the hackers to guess.

This, he said goes to show, that, increasingly attacks of this nature are becoming common-place and tactics used, more damaging to individuals and institutions alike.

“That is why the Nigeria electronic Fraud Forum will not relent in achieving major activities that we have set out to do which include: The operationalisation of a Dedicated e-Payment and Card Crime Unit in the Nigeria Police, which will enable a greater effort in our quest to successfully investigate and bring to book through effective and efficient prosecution of cyber-criminals.

“A workshop on the Cybercrime Prohibition and Prevention Act, which will expand understanding of the impact, implications and responsibilities of all stakeholders, particularly those operating within the financial services sector and;
“Expanding of our member schedule to always accommodate new and systemically important stakeholders into membership of the NeFF,” the Director said.

Caution from Banks
The Chief Executive Officer of Zenith Bank Plc, Mr. Peter Amango, warned bank customers to desist from responding to suspicious e-mails so that they don’t fall victim of social engineering attacks.

According to Amangbo, social engineering refers to the use of tricks and psychological manipulation by fraudsters to collect secured information from unsuspecting users, adding that the criminals rely heavily on human interactions and often involves making people breach normal security procedures.

He said in social engineering, the information that are often targeted are password, bank accounts, details of bank account, debit and credit card details, ATM pins, among others.

According to Amango, the advent of social engineering was an indication that technology is not enough to keep the system secured.
“It is the easiest and cheapest way of gaining access to confidential information. Social engineering has been with us for a very long term.

It is very clear to us that what we are talking about is not cheap at all because for you to restore customer confidence you will spend a lot of money. And to remedy such situation you have to spend a lot of money. So, the best way is prevention. We need to continue to put our strategies in place to ensure that they don’t succeed.

“And we are beginning to see social engineering attacks via the social media, Facebook, Twitter, etc. Attackers would impersonate the profile of a close friend with the intention of tricking you to click on malicious links or malware infected documents. And once you click on that, they are able to have access into your documents and be able to steal very sensitive information for their operation.

“These mails are usually from companies that send you e-mails regularly and once you respond, certain things would be lost. We have seen so many instances of e-mails of big companies confirming transfers, payments and unless you look at it critically, you will not be able to see any difference between the original or the fake e-mail,” he added.

On his part, the Chief Executive Officer of Sterling Bank Plc, Mr. Yemi Adeola, said fraud remains a major concern to banks and financial institutions worldwide, adding that Nigeria is not an exception.

According to him, the introduction and advancement in electronic payment system in the Nigerian financial system came along with significant challenges associated with this kind of innovation.

“Thousands of Nigerians have fallen victims and several billions of naira lost to the activities of these fraudsters since the introduction of e-payment system. Statistics available to banks and law enforcement agencies shows that this challenge is still on the increase. Most of the information used by these fraudsters are gotten from social engineering attacks.

“As we all know, social engineering requires a conversation between two parties – the fraudster and the unsuspecting victim. This conversation can be a direct engagement between the two parties or exchange of information over electronic means such as e-mails, telephone, social media, etc,’ he explained.

According to the Sterling Bank boss, the main motive behind social engineering is financial gain through fraud. He noted that fraudsters are very comfortable using social engineering because it provides to them the quickest way of obtaining a valid identity, just as he also warned customers to be careful with divulging their personal account information or PIN numbers.

Preventing Attacks
The United States Computer Emergency Readiness Team has stated that in other to avoiding social engineering and phishing attacks, bank customers must be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.

According to the agency, if an unknown individual claims to be from a legitimate organisation, individuals and organisations must try to verify his or her identity directly with the company.

Other steps to guard against this according to the U.S. agency include:
* Do not provide personal information or information about your organisation, including its structure or networks, unless you are certain of a person’s authority to have the information.
* Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

* Don’t send sensitive information over the Internet before checking a website’s security (
* Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

* If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

* Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).