Kohima, July 16 (NEx): The article on Law in Motion 27: Cyber Crimes 20- “Psychological Tricks or Social Engineering & Attacks on Personal Computers”, written by Rupin Sharma, IPS.
The topics covered are:
Psychological Tricks or Social Engineering –
(i)Phishing (ii) Vishing (iii) Smishing
Credit/ Debit Card Frauds –
Online Shopping – Delivery & Offers
Attacks On Personal Computers;
(a) Virus Attack through External Devices
(b) Virus Attack by Downloading files from untrusted websites –
(c) Installation of malicious Software –
Law in Motion 27: Cyber Crimes – 20
(c ) Psychological Tricks or Social Engineering –
I have discussed social engineering earlier. It is the use of various social and psychological tricks to defraud people.
Through their interface with internet, mobile phones and social media or applications, criminals can literally invent innumerable tactics to CON their targets or victims. Some of the social engineering or psychological frauds are as below: –
(i) Phishing (ii) Vishing (iii) Smishing
In all these tricks the broad outline of contact is the following:
>the attackers approach their victims or targets with irresistible offers or lucrative deals.
>Once the targets are approached, the targets either steal or transfer money or trick the victims to transfer the money or
steal personal information; or
>Capture or take control of their mobile phones or computers to commit them to harm;
>The victims are tricked by using electronic means.
(i) Phishing: An act of sending fraudulent emails:
The attackers send emails to contact the targets/victims. Usually bulk-emails are sent i.e., to multiple targets;
Usually the recipients of emails are ‘bcc’ or blank carbon copy receivers – numerous people are sent the same e-
mail but no one knows who are the other receivers or targets;
All the emails usually originate from the same email address but the receivers cannot ascertain that these are fraudulent or bulk emails;
The emails appear to be from genuine senders – either genuine persons or genuine organisations e.g. banks or
businesses or recruiters or companies offering credit or debit cards or services or business proposals or offers for sale of goods or services or even gifts etc.
The attackers seek to access sensitive personal information about the victim e.g., bank details. Offers for transfer of funds or bounties are not uncommon for criminals using emails to target victims.
(ii) Vishing – engaging a victim by phone call: the attackers engages the victim on telephone to extract sensitive personal information and bank details or OTPs/
DoBs etc. from victims.
(iii) Smishing – it is the SMS equivalent of phishing or vishing.
The attackers use SMS to send fraudulent text messages.
The SMS asks the victim/ target to click on different websites or URLs or call a phone number.
The phone number given is usually one of the associates of the attackers/ criminal who help commit the fraud by stealing personal information, including
banking or financial data.
Clicking on links or URLs can compromise all the details in your smartphone, even enabling the attacker to read/access the future SMS and OTP messages which can be used to draw money from the victim’s bank accounts without his knowledge.
Phishing, Vishing and Smishing can also be used for conducting other offences like rapes, murders or extortions etc.
Some examples of Social Engineering/ Psychological Tricks: –
(A) Lottery Fraud-
>The fraudster approaches the victim (usually numerous victims/ targets at a time) through phishing or vishing or
Smishing or call saying that he/ she has been selected/ shortlisted for a lottery based on the mobile number or email address.
– The victim is tricked into believing the lottery is genuine;
– The victim expresses the willingness or happiness for the lottery;
>The fraudster asks the target to transfer a TOKEN AMOUNT to the lottery company or manages as CONFIRMATION;
– The victim/ target is asked to share vital personal information to the company by clicking on a link of lottery company;
– The moment the victim/ target clicks on the link/ URL, his vital data and even bank details are compromised, and money drawn from bank accounts.
– It is not unusual for fraudsters to even open fake websites, just in case the victim wants to check authenticity.
– In other cases, the victim may be asked/required to fill up the details on URLs/ websites and the moment he clicks on SUBMIT or AGREE, the data is sent to the fraudsters, your computer/ mobile is compromised and within milliseconds the user is taken to a website of a genuine company but no data is available.
(B) Credit/ Debit Card Frauds –
Users are sent messages by phishing, vishing or smishing that their credit or debit cards have been blocked because of KYC details being incomplete or similar pretext.
The user is asked to fill up the details online through URLs/ links to unblock.
The moment user fills details and submits, he has been compromised and conned.
(C)Job Related Frauds –
attackers send communications to targets about job offers with attractive salary.
Victim is asked/ directed to submit personal details online by filling up forms etc.
The moment any link/ URL is clicked, conman succeeds.
The conman transfers money from your account within seconds based on the details provided.
(D) Online Shopping – Delivery & Offers –
Conmen send messages to targets that they have been selected for discount offers,
However, the victims or targets are requested to pay token sums.
The targets are asked to make payments online through URLs/ links.
Once links are clicked and data/ money submitted the attacker can get access to mobile as well as bank accounts, details which can be used to transfer money
ATTACKS ON PERSONAL COMPUTERS
Personal computers have become increasingly personalized with computers and laptops becoming an extended part of our bodies. Increasingly, data and information which was earlier stored on papers and physical files and folders have given way to computer devices. Documents, photos, audio and visual files, movies, music etc. are no
longer available on physical media. Even if available on physical media, the storage media and devices have become miniaturized and storage capacities on smaller storage devices have increased dramatically. However, protection and safeguarding of information on digital media is equally important. In fact, security of digital media and storage devices is a very difficult task too.
It is important to protect such devices from individuals physically as well as from attacks by viruses/ malicious softwares.
Some methods of attack on Computers are as follows:
(A) Virus Attack through External Devices – External devices like CDs or Pen drives or external hard disks can be inserted and used with laptops/ computers to insert/ introduce viruses to steal data.
Sometimes, the user may have to copy files into folders which automatically get hidden on pen drives/ disks or
Others, the mere introduction of a pen drive or disk may be enough to copy back all files from a computer; or
The pen drives may copy or introduce viruses on Pcs or laptops and these viruses can automatically send user data or documents remotely to an attacker;
(B) Virus Attack by Downloading files from untrusted websites –
Sometimes if we access untrusted websites, the viruses or malicious softwares get downloaded into user PCs/ laptops automatically. These viruses can damage computers or compromise them or the user data or information.
Often such viruses are downloaded along with music or audio or document files or clicking on advertisements or URLs.
(C) Installation of malicious Software – Softwares downloaded from untrusted sources can compromise computer security.
Particularly vulnerable are applications, games, calculators, and such files, once downloaded, the viruses can spread to all files on computers and corrupt them or even send user data to the attackers or fraudsters.
These files can also slow down computers or even lead to deletion
of data on computers or corruption of data, making the data unusable in its original form.
– Computers/ laptops should have a firewall installed;
– Computers should have updated anti-virus installed and enabled and running at all times;
– Always scan external devices like pen drives/ CDs/ Hard disks for viruses or trojans or malicious softwares;
– Always keep Bluetooth and infra-red in INVISIBLE mode unless you are actually using it to transfer files etc.
– Before disposing off computers or smartphones or storage devices etc., always wipe-off the devices clean of all personal information and data including files and folders created/ used by you;
– Clear the browser history periodically;
– Do not save personal data and passwords in browser;
– For mobiles, always ‘FACTORY RESET’ the phones before selling;
– Never download or install PIRATED SOFTWARES or applications on your PCs or smartphones etc.
-Use of pirated software is ILLEGAL and violates copyright laws besides being a security threat;
– Do not click on URLs or links received in emails, SMS or social media apps – these can lead to malicious softwares/ websites;
– Do not click on advertisements from unknown, untrustworthy sources or companies;
– Always check whether https appears on financial websites before making online transactions. Websites/ links having https indicate that the communications with such websites and webpages are
encrypted and hence safe during transit.
– Always read terms and conditions of apps before installation.