Social engineering can be described as the art of manipulating people to submit confidential information about not only themselves but also regarding essential parts of their livelihoods. Therefore, social engineering must be understood to involve criminals seeking to infringe on people’s privacy. The type of information that criminals often target varies, from banking records to travel history. Social engineering has proved to be a massive threat to the safety and security of ordinary citizens, which compels research to establish the realities of affiliated practices. With effect, this paper will study and discuss the underlying dynamics of social engineering and the factors that facilitate the course in an attempt to establish the most effective means to insulate personal information from such malicious practices.
Criminals often use different means to access different types of information. However, when a person becomes a target to criminals, the criminals’ main objectives are to manipulate the individuals into submitting personal information such as passwords and bank information. Further, these criminals may access an individual’s computer remotely and install malicious software that will grant them access to the information they need about their target. Nevertheless, the criminals will have control over their target’s computer and may further impersonate and execute transactions that the individual who is their target is unaware of.
There are two types of social engineering: human-based and technology-based (Sadiku et al. 2016). The first form of social engineering, human-based social engineering, requires face-to-face interaction between the criminal and the target individual to achieve the objective of the course. Under human-based social engineering, criminals may employ different techniques, including impersonation, third-party authorization, dumpster diving, and shoulder surfing (Sadiku et al. 2016). On the other hand, technology-based social engineering requires an electronic interface that connects the criminal and their target to achieve the purpose of the course (Sadiku et al., 2016).
Under technology-based social engineering, criminals employ various techniques to achieve their purpose, which may involve utilizing emails and attachments in the email and websites to manipulate people (Sadiku et al. 2016). For instance, social engineers have vastly embraced the practice of sending fraudulent emails while impersonating legitimate people from legitimate entities. The individual who has been sent the false email can easily be deceived into believing that the email originated from the legitimate entity aforementioned in the fraudulent email. According to reliable research, “Social engineering threats, which are human-based, are on the rise due to continued improvements in protections against technology-based threats” (Sadiku et al. 2016).
Reliable research in this context states that “Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software,” improvements in. In simpler terms, it is easier for criminals to manipulate someone to trust them and give them their password than to hack it unless the password is significantly weak. Therefore, social engineering has proven to be an efficient tool for facilitating cybercrime in different aspects. The history of social engineering dates back to the advent of technology and its revolution in human practices.
With the ever-increasing significance of and reliance on information technology in people’s daily lives, from smart home devices to industrial control systems, the rate of social engineering has gradually increased with effect over the years (Papazov, 2016). One of the most common forms of attacks used by social engineers is phishing. In Phishing Attacks, hackers typically send a link or an attachment to their targets via Gmail (Alkhalil et al., 2021). The hackers’ emails significantly resemble one of the user’s trusted people. Due to people’s trust in their workmates and maybe employees, they are likely to disclose important information to hackers thinking that it’s their confidante. The most common risks concerning phishing attacks are financial losses and the disclosure of personal data to hijackers that can be used to conduct other crimes.
Perhaps, cloud-jacking is equally embraced as a form of social engineering. In cloud jacking, hackers get into a company’s cloud and try to manipulate sensitive data (Alkhalil et al., 2021). They may attempt to manipulate further communications of the company and the data of employees and go as far as trying to gain access to the entire cloud (El-kenawy et al., 2019). Upon doing this, the hackers then go ahead and create fake memos, fake instructions, and false directives (El-kenawy et al., 2019). Due to a lack of knowledge, employees may download these files and adhere to the instructions given in those fake memos and directives. This way, hijackers can even move the company’s finances into fraudulent accounts. The company’s employees may also deposit funds into fraudulent accounts as instructed through fraudulent files sent to the company’s cloud by the hijackers.
The third form of social engineering is network perimeter and end-point security. Perhaps, network perimeter and end-point security have become a significant threat because many people have been compelled to work remotely since the pandemic hit society. Reliable research indicates that 59 % of American workers prefer to work remotely even after authorities lifted Covid restrictions (El-kenawy et al., 2019). The threats related to network perimeter and end-point security have grown significantly as a result. The growth is directly influenced by the lack of security infrastructure like the one offered by companies in workplaces. Hence, companies’ employees globally are vulnerable to network perimeter and end-point security threats as they use their Gmail platforms to execute corporate tasks and pass important information.
The fourth primary form of social engineering is mobile malware. Mobile malware, on the other hand, is a cyber-attack typically used on mobile devices for malicious purposes (El-kenawy et al., 2019). Reliable research suggests that many professionals are moving from desktops to laptops and mobile phones on partial or total execution of their professional duties (El-kenawy et al., 2019). Therefore, this transition has exposed a significant figure of the global populace to the threat of mobile malware. Reliable sources suggest that this year may experience a substantial increase in mobile malware crimes due to this transition.
A recent practical example that can be used to illustrate social engineering, in reality, is the Tricare breach that occurred in 2011. Tricare is a healthcare program that provides health benefits for the military personnel of the United States of America, including retired military personnel. The program was formerly known as Civilian Health and Program of the Uniformed Services (CHAMPUS). The Defense Health Agency of the United States of America manages the Tricare program. However, in 2011, the most significant breach of date occurred in the program, affecting a large number of beneficiaries.
The Tricare data breach occurred in 2011 and is considered the most significant data breach witnessed in the history of the United States of America (Hesh and Hoit, 2018). The breach affected 4.9 million military members (Hesh and Hoyt). Independent Sources claim that an estimated 248 million Dollars was lost in that event (Weiss and Miller, 2015.) Some of these were active military members, while others were retired military personnel with the families of both the retired and operational personnel. The breach occurred when disk backup data was stolen from a car belonging to an employee of the Science Application International Corporation (Hesh and Hoyt, 2018).
The department of defense contracted the company to offer professional services to the health program. This disk contained data on the military personnel that had received the program’s benefits between 1992 and 2011, up to September (Hesh and Hoyt). The stolen tapes contained individual military personnel data, including names, dates of birth, personal data on health, social security numbers, and the addresses of the program’s members (Hesh and Hoyt, 2018). However, the stolen tapes did not include the financial data of the military personnel enrolled in the program. In the event of the data breach, the Tricare Management Activity (TMA), which was formed in 1998, was in charge of the health program. However, the functions of the program and its management were under the authority of the Office of the Assistant Secretary of Defense and Health Affairs. The Tricare Management Activity managed the appropriation of the program and provided adequate directions to the activities of the uniformed services.
Nevertheless, the Tricare Management Activity was assigned to administer the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS). The management was held responsible for granting access for an unpermitted contracted company employee to unencrypted data of the program. The Tricare Management Activity was required to undertake a credit monitoring activity for the breach victim in 2011 without charging the victims any fee for the services. This was the least that the management of the program could offer to regain at least a little bit of trust to the military personnel who trusted the program to provide them with the best healthcare services as they were busy protecting Americans from its enemies.
Secondly, allowing a newly recruited employee to access classified data of military personnel was an act of ignorance from the program’s governing body. During the event of the breach of data, there were more than five hundred patients that were under the care of the health program (Hoyt and Yoshihashi, 2018). This proves enough that the program should have been running with extra caution because some of its members entirely depended on the services of this program. This program’s management faced two lawsuits concerning this event (Hoyt and Yoshihashi, 2018). This occurred barely a month after the announcement of the data breach by the director of the program. One of the lawsuits required that the administration be charged with its failure to take the necessary precautions to secure its members’ data from unusual activities or unauthorized personnel.
The second lawsuit required the management of the program to take responsibility for negligence, as the administration claimed that the data was stolen on an occasion where there was no security assigned to safeguard the data of its members (Hoyt and Yoshihashi, 2018). The lawsuit further required Tricare to pay a thousand dollars to each affected member (Vijayan, 2011). The Defense Health Agency (DHA) was responsible for managing this program in October 2013 following the conspiracy surrounding the Tricare data breach. The DHA took charge of the roles played by the TMA, including managing the activities undertaken by the program and providing insight into the directions which should be taken in ensuring quality service delivery to the members of this program. The DHA also reviewed the program’s data protection policies to secure the program’s data from exposure to unpermitted external sources.
The Assistant Secretary of Defense, who had direct authority over this program, and the Principal Deputy Assistant Secretary of Defense, left their position following the data breach (Weiss and Miller, 2015). A former Principal Deputy assumed the role of the Assistant Secretary of Defense. No new jobs were created following the data breach at Tricare (Weiss and Miller, 2015). Whatever happened involved recruiting new personnel to the managerial vacancies that were created as a result of the senior management resigning from the positions. One of the vacancies which were created was the position of the Assistant Secretary of Defense and Health. This position was filled by a former Principal Deputy Assistant Secretary of Defense.
From the information above, it can be asserted that social engineering is a threat to the privacy and financial and general security of ordinary citizens. The computer exploitations contained in social engineering employ various strategies, including phishing and cloud-jacking, to access information from their targets. It can also be asserted that with the transition of professional practice formalities into more mobilized avenues, the scope of risks related to information security threats is relatively more considerable. Therefore, creating awareness and laying down more security infrastructure can be crucial in the quest to counter the dangers presented by social engineers.
References
El-kenawy, E. S. M. T., Saber, M., & Arnous, R. (2019). An Integrated Framework to Ensure Information Security Over the Internet. International Journal of Computer Applications, 975, 8887. https://www.researchgate.net/profile/El-Sayed-El-Kenawy/publication/334522254_An_Integrated_Framework_to_Ensure_Information_Security_Over_the_Internet/links/5ee415c8299bf1faac525a4c/An-Integrated-Framework-to-Ensure-Information-Security-Over-the-Internet.pdf
Hersh, W. R., & Hoyt, R. E. (2018). Health Informatics: Practical Guide Seventh Edition. Lulu. com.
Hoyt, R. E., & Yoshihashi, A. K. (2014). Health informatics: a practical guide for healthcare and information technology professionals. Lulu. com.
Papazov, Y. (2016). Social Engineering. Retrieved from.
Sadiku, M., Shadare, A., & Musa, S. (2017). Grid Computing. International Journal of Advanced Research in Computer Science and Software Engineering, 7(6), 5-6. https://doi.org/10.23956/ijarcsse/v7i6/01612
Vijayan, J. (2011). Defense Dept. hit with $4.9 B lawsuit over the data breach. Computerworld, October14.
Weiss, N. E., & Miller, R. S. (2015, February). The target and other financial data breaches: Frequently asked questions. In Congressional Research Service, Prepared for Members and Committees of Congress February (Vol. 4, p. 2015).1