Social

Engineering and
Identity theft
Learning Objectives

• To learn the process

of social engineering
and how to prevent it.
• To discuss the aspects
of identity theft in
information
technology.

2
Social Engineering
• Social engineering
• is the art of manipulating people so they give up confidential information.
• The types of information these criminals are seeking can vary, but when individuals are
targeted the criminals are usually trying to trick you into giving them your passwords or
bank information, or access your computer to secretly install malicious software–that will
give them access to your passwords and bank information as well as giving them control
over your computer.
• Criminals use social engineering tactics because it is usually easier to exploit your natural
inclination to trust than it is to discover ways to hack your software.  For example, it is
much easier to fool someone into giving you their password than it is for you to try
hacking their password (unless the password is really weak).

Source:
https://www.webroot.com/us/en/resources/tips-
articles/what-is-social-engineering
3
Common examples of social engineering
• Phishing: tactics include deceptive emails, websites, and text messages to steal
information.
• Baiting: an online and physical social engineering attack that promises the victim
a reward.
• Malware: victims are tricked into believing that malware is installed on their
computer and that if they pay, the malware will be removed.
• Pretexting: uses false identity to trick victims into giving up information.
• Quid Pro Quo: relies on an exchange of information or service to convince the
victim to act.
• Tailgating: relies on human trust to give the criminal physical access to a secure
building or area.
Source: https://terranovasecurity.com/examples-of-social-engineering-attacks/
4
Why hackers perform social engineering?
• Bad guys use social engineering to break into systems because they can. They
want someone to open the door to the organization so that they don’t have to
break in and risk getting caught
• Most social engineers perform their attacks slowly, so they’re not so obvious
and don’t raise suspicion. The bad guys gather bits of information over time
and use the information to create a broader picture. Social engineers know that
many organizations don’t have formal data classification, access-control
systems, incident-response plans, and security awareness programs.
• Social engineers know a lot about a lot of things — both inside and outside
their target organizations — because it helps them in their efforts. The more
information social engineers gain about organizations, the easier it is for them
to pose as employees or other trusted insiders.

5
Effective social engineers can obtain the following information:

 User or administrator passwords

 Security badges or keys to the building and even the
computer room
 Intellectual property such as design specifications,
formulae, or other research and development
documentation
 Confidential financial reports
 Private and confidential employee information
 Customer lists and sales prospects

6
How to perform Social Engineering?

• Perform research.
• Build trust.
• Exploit relationship for information through words,
actions, or technology.
• Use the information gathered for malicious purposes.

7
How social engineering is done?
• Shoulder surfing
• Impersonation
• Phishing /social engnr
• Eavesdropping
• Dumpster diving /

8
Building trust
• Likability:
• Who can’t relate to a nice person? Everyone loves courtesy. The friendlier the social
engineer — without going overboard — the better his chances of getting what he wants.
Social engineers often begin by establishing common interests. They often use information
they gained in the research phase to determine what the victim likes and act as if they like
those things as well. For instance, they can phone victims or meet them in person and, based
on information they’ve learned about the person, start talking about local sports teams or
how wonderful it is to be single again. A few low-key and well-articulated comments can be
the start of a nice new relationship.
• Believability:
• Of course, believability is based in part on the knowledge that social engineers have and
how likable they are. But social engineers also use impersonation — perhaps posing as a
new employee or fellow employee that the victim hasn’t met. They may even pose as a
vendor that does business with the organization. They often modestly claim authority to
influence people. The most common social-engineering trick is to do something nice so that
the victim feels obligated to be nice in return or to be a team player for the organization.

9
Deceit through words and actions in Social Engineering
• Acting overly friendly or eager
• Mentioning names of prominent people within the organization
• Bragging about authority within the organization
• Threatening reprimands if requests aren’t honored
• Acting nervous when questioned (pursing the lips and fidgeting — especially the hands and feet, because more conscious
effort is required to control body parts that are farther from the face)
• Overemphasizing details
• Physiological changes, such as dilated pupils or changes in voice pitch
• Appearing rushed
• Refusing to give information
• Volunteering information and answering unasked questions
• Knowing information that an outsider should not have
• A known outsider using insider speech or slang
• Asking strange questions Misspelling words in written communications

10
Social Engineering Recommendations
• Do not open any emails from untrusted sources. Contact a friend or family
member in person or by phone if you receive a suspicious email message from
them.
• Do not give offers from strangers the benefit of the doubt. If they seem too good
to be true, they probably are.
• Lock your laptop whenever you are away from your workstation.
• Purchase anti-virus software. No AV solution can defend against every threat that
seeks to jeopardize users’ information, but they can help protect against some.
• Read your company’s privacy policy to understand under what circumstances you
can or should let a stranger into the building.

11
Social engineering may lead to identity theft
• Identity theft is when someone uses your personal • 9. Tax Identity Theft
information such as your name, social security • 10. Biometric ID Theft
number, credit card number, and so on, without your
permission to commit or attempt to commit fraud or • 11. Criminal Identity Theft
other criminal actions.Examples: • 12. Synthetic Identity Theft
• 1. Driver's License Identity Theft • 13. New Account Takeover
• 2. Mail Identity Theft • 14. Medical Identity Theft
• 3. Debit Card Fraud or Credit Card Fraud • 15. Loan Stacking Fraud
• 4. Online Shopping Fraud • 16. Mortgage Fraud
• 5. Social Security Number Identity Theft • 17. Auto Lending Fraud
• 6. Account Takeover Identity Theft • 18. Employment Identity Theft
• 7. Senior Identity Theft/Senior Scams • 19. Bust-Out Fraud
• 8. Child Identity Theft • 20. Internet of Things Identity Theft
Source: experian.com/blogs/ask-experian/20-types-of-identity-theft-and-fraud/ 12
10 steps to recover if your identity is stolen
• 1. Notify affected creditors or banks
• 2. Put a fraud alert on your credit report
• 3. Check your credit reports
• 4. Freeze your credit
• 5. Report the identity theft to authority
• 6. Go to the police
• 7. Remove fraudulent info from your credit report
• 8. Change all affected account passwords
• 9. Replace your stolen identification
• 10. Contact your telephone and utility companies

Source: https://www.bankrate.com/finance/credit/steps-for-victims-of-identity-fraud.aspx
13
References

• Beaver, K, “HACKING FOR DUMMIES”, Wiley Publishing, Inc., 2004

• Meyer, K, “Digital Security Awareness”, www.alison.com , 2019
• webroot.com/us/en/resources/tips-articles/what-is-social-engineering
• terranovasecurity.com/examples-of-social-engineering-attacks/
• experian.com/blogs/ask-experian/20-types-of-identity-theft-and-fraud/
• bankrate.com/finance/credit/steps-for-victims-of-identity-fraud.aspx

14