IDENTIFY SOCIAL ENGINEERING EXPLOITS,

COUNTERACT SOCIAL ENGINEERING

EXPLOITS, GUARD AGAINST CYBER CRIME

Md. Hossain Bin Amin

Senior Programmer
Bangladesh Computer Council
Information and Communication technology Division
hosain.amin@bcc.gov.bd
Module Summary

Identify Social Engineering Exploits

Counteract Social Engineering

Exploits

Guard against Cyber Crime

Identify Social Engineering Exploits
Understand the principles of social
engineering

Define the goals of social engineering

Recognize the signs of social engineering

Identify ways to protect yourself from social

engineering
 Social
Engineering
What is Social Engineering?
The art of manipulating people so that they give up
confidential information or break standard security
practices.
What Info is Confidential?
Facts About Social Engineering

Everyone is a potential target!

It’s often easier for cybercriminals to manipulate a human
than a computer network or system.
Attacks can be relatively low-tech, low-cost, and easy to
execute.
Technology is rapidly accelerating along with the
sophistication of attacks.
Social Engineering Attack Cycle
Common Social Engineering Attacks
Phishing/Spear
Pretexting Vishing
Phishing

Smishing Baiting Scareware

Dumpster Shoulder
Ransomware
Diving Surfing
What is Pretexting?

Pretexting is a social engineering

technique in which a fictional
situation is created for the
purpose of obtaining personal and
sensitive information from an
unsuspecting individual.
Pretexting Techniques & Goals
How is Pretexting Done?

• Attackers impersonate co-workers, police officers, bankers, tax

authorities, or charitable organizations.
• An attacker builds a credible story (pretext) that leaves little
room for doubt on the part of their target.
• A false sense of trust is developed with the target.
• A pretexter may ask a series of questions designed to gather
personally identifiable information.

Why is it Done?

• Obtain Sensitive Information – Social security number, mothers

maiden name, place or date of birth or account numbers.
What is Phishing?

A type of attack often used to steal

user data, including login
credentials, personally identifiable
information or credit card
numbers. It occurs when an
attacker poses as a trusted entity,
dupes a victim into opening an
email or instant message.
 10 Eye-Catching Spear Phishing Statistics – 2022
1. 65% of Targeted Attacks by Hacker Groups Involve Spear Phishing [Source: Symantec]
2. 88% of Organizations Faced Spear Phishing Attacks during a Single Year [Source: Proof Point]
3. 95% of Successful Enterprise Network Attacks Involve Spear Phishing [Source: Security
Intelligence]

4. 87% of Spear Phishing Attacks Occur During the Workweek [Source: Statista]

5. Tuesday Is the Most Popular Day for Spear Phishing [Source: Statista]

6. SolarWinds Hackers Target Around 3,000 Emails in Spear Phishing Attempt [Source: AP News]
7. Spear Phishing Attachments and Links Are 2 of the Top 3 Techniques for Gaining Access
[Source: McAfee]

8. The Cost of Phishing Scams Tripled in 6 Years [Source: Proof Point]

9. Scammer Used Spear Phishing to Steal More Than $100 Million from Google and Facebook
[Source: CNBC]

10. 12 Russian Operatives Were Behind Spear Phishing Attack Resulting in DNC Email Leak,
Compromising More Than 19,000 Emails and Over 8,000 Attachments [Source: CNBC & Vox]
Common Signs of Phishing
Too Good To Be True
• Eye-catching or attention-grabbing offers designed to attract people’s
attention immediately. For instance, a claim that you have won an iPhone,
a lottery, or some other prize.

Sense of Urgency
• Act fast because the super deals are only for a limited time.
• Your account will be suspended unless you update your personal details
immediately.

Hyperlinks
• Click here to claim your offer.
• Click here to change your login credentials.

Attachments
• Often contain ransomware, malware or other viruses.
Phishing Email
Other Forms of Phishing
Spear Phishing
• Similar to phishing, spear phishing is an email or
electronic communications scam targeted
towards a specific individual, organization or
business.
Other Forms of Phishing
Vishing (Voice Phishing)
• An attacker calls their target and uses an
automated recording designed to generate fear.
The recording will ask the target to call a number
to resolve the issue.
Other Forms of Phishing
Smishing (SMS Phishing)
• An attacker tries to trick you into giving them your
private information by sending you a text
message.
Hangphish
Class Activity 1
What is Baiting?

Involves offering
something physically
or digitally enticing to
a target in exchange
for login information
or private data.
Baiting Techniques
Free Media Download
• Attackers publish download links on the web, mostly containing
malicious software, offering free music, movie, or video games
if the target surrenders their login credentials to a certain site.

Unusually Low-Priced Product

• Attackers advertise extremely low priced products in an online
store they created hoping individuals will attempt to purchase
the product and give up their credit or debit card details.

Compromised USB Drive

• Infected USB drive used to inject malware, redirect you to
phishing websites, or give a hacker access to your computer.
What is Ransomware?

Malicious software
(malware) that prevents
users from accessing their
system or personal files
and demands a ransom
payment from the user in
order to regain access.
Ransomware - WannaCry
Dumpster Diving

An attacker digs through

trash looking for personal
or confidential
information that can be
used to carry out an
attack on a person or
business.
Shoulder Surfing

Shoulder surfing involves

looking over a person's
shoulder to gather personal
information while the victim is
unaware. This is especially
effective in crowded places
where a person uses a
computer, smartphone or ATM.
Social engineering prevention
The following tips can help improve your vigilance in relation to social
engineering hacks.
Counteract Social Engineering Exploits

Counteracting social engineering exploits

involves a combination of awareness,
education, and implementing security
measures.
 Cont.…

Employee Training: Conduct regular training sessions to educate

employees about different types of social engineering attacks and
how to recognize and respond to them. Encourage skepticism
toward unsolicited requests for information or actions.

Implement Strong Policies: Establish and enforce strict

policies regarding information sharing, access controls, and
verification procedures. Ensure that employees are aware of
these policies and adhere to them.

Use Multi-Factor Authentication (MFA): Implement MFA wherever

possible to add an extra layer of security, making it harder for
attackers to access systems even if they obtain login credentials.
 Cont.…

Regular Updates and Patches: Keep systems, software, and

security protocols up to date with the latest patches and updates to
minimize vulnerabilities that attackers could exploit.

Limit Access Controls: Restrict access to sensitive

information or critical systems only to those who require it for
their roles. This minimizes the risk of unauthorized access in
case of a successful social engineering attack.

Incident Response Plans: Develop and regularly update

incident response plans. This includes procedures for reporting
suspected social engineering attempts and steps to mitigate
potential damage.
Security Awareness Culture: Foster a culture of security
awareness within the organization. Encourage employees to report
suspicious activities promptly without fear of reprisal.

Regular Simulated Attacks: Conduct simulated social

engineering attacks (like phishing simulations) to test
employee awareness and responsiveness. Use these
simulations as teaching moments to improve vigilance.

Continuous Monitoring: Implement systems that continuously

monitor network activities for any irregularities or suspicious
behavior, enabling quick identification and response to potential
breaches.
Guard against Cyber Crime

What is
cybercrime?

Cybercrime is any crime that

takes place online or primarily
online. Cybercriminals often
commit crimes by targeting
computer networks or devices.
How to protect yourself against cybercrime
Use strong passwords

Keep your software updated

Firewalls and Security Software: Install and maintain firewalls, antivirus,

anti-malware, and other security software to detect and prevent intrusions.

Data Encryption: Encrypt sensitive data, both in transit and at rest, to

safeguard it from unauthorized access even if intercepted.

Regular Backups: Perform regular backups of critical data and systems to mitigate
the impact of ransom ware attacks or data breaches.
How to protect yourself against cybercrime

Employee Training and Awareness: Train employees on cyber security

best practices, including recognizing phishing attempts, social engineering,
and proper handling of sensitive information.

Access Controls and Least Privilege: Implement access controls that

restrict access to data and systems based on the principle of least privilege.
Users should only have access to what they need to perform their jobs.

Incident Response Plan: Develop and regularly update an incident

response plan to swiftly and effectively respond to cyber incidents. This plan
should include steps for containment, investigation, and recovery.

Network Segmentation: Segment networks to minimize the potential impact of a

breach by containing threats within specific areas and preventing lateral
movement.
How to protect yourself against cybercrime

Monitoring and Auditing: Employ continuous monitoring and auditing of

network activities to detect anomalies or suspicious behavior early.

Vendor Risk Management: Assess and manage the cybersecurity risks posed
by third-party vendors or partners who have access to your systems or data.

Compliance with Regulations: Ensure compliance with relevant data

protection laws and industry regulations to avoid penalties and maintain a
strong security posture.

Cyber Insurance: Consider investing in cyber insurance to help mitigate

financial losses in case of a cyber incident.

Regular Security Assessments: Conduct regular cybersecurity assessments and

penetration testing to identify weaknesses and proactively address them.
 38

National legal framework on Cyber Security

ICT Act, 2006

Cyber security Act, 2023

Government of Bangladesh Information Security Manual

Cyber Security Strategy

Government Email Policy 2018

User Policy of National Data Center

Data Protection Act (draft),

National Cloud Computing Policy (draft);

National ICT Policy 2018;

References
13 Alarming Cyber Security Facts and Stats. Cybint Cyber Solutions. 3 Dec. 2018.
https://www.cybintsolutions.com/cyber-security-facts-stats/

Social Engineering. Imperva Incapsula. 2 Mar. 2019.

https://www.incapsula.com/web-application-security/social-engineering-attack.html

Three Scary Social Engineering Facts. Proofpoint. 31 Oct. 2016.

https://www.wombatsecurity.com/blog/three-scary-social-engineering-facts
https://firewalltimes.com/spear-phishing-statistics/

https://www.google.com/search?q=how+Pretexting+work&tbm=isch&hl=en-
US&chips=q:how+pretexting+work,online_chips:social+engineering+attacks:0melweBZKpg%3D&sa=X&ved=2ah
UKEwiRzf7fmOGCAxUlSmwGHTC7Cr0Q4lYoAnoECAEQNQ&biw=1903&bih=945#imgrc=dRwT7Qnuf9sRxM