An August 2021 news report says that a Los Angeles man pleaded guilty to the charge of gaining unauthorised access at least 200 accounts of iCloud users. He had obtained at least 4,700 account IDs and passwords. How did he do this? He did it by social engineering.
Social engineering is basically an attacker pretending to be someone that they are not, in order to trick someone into letting them gain access to some information that they are not authorised to get. It is the use of social interaction to engineer someone into giving an attacker access to some information.
In this case, the attacker created Gmail accounts and pretended to be emailing from Apple technical support. Over 4,000 of his targets simply sent him their AppleIDs and passwords.
The use of email to (attempt to) obtain confidential information is called phishing. Phishing sometimes attempt to trick the reader into clicking links that lead to a website that the attacker will use to obtain the desired information. In this case, the victims simply sent the login details themselves.
Here in Kenya, we have people who send text messages pretending to be texting from a bank, or mobile network operator or a money-lending organisation, a child’s school and so on. Their aim is usually to either get the target’s mobile money PIN or to get cash sent to them directly. This use of SMS is called a smishing attack.
What To Do
Awareness, and subsequent good practice, is the best defence against social engineering. If you are aware of such tricks, you are far less likely to divulge confidential information. Users of technology should be aware that they should not share passwords or PINs with anyone, and certainly not to a stranger who has sent them a message or even made a phone call to them. As one local mobile network operator says “Your PIN is your secret.” Mobile network companies or banks or any other organisations do not need to know your PIN in order to offer you any form of support.