Social Engineering

Scroll Down

Social Engineering

Social Engineering is the act of deceiving someone into divulging information or taking action, usually through technology. The idea behind social engineering is to take advantage of a potential victim's natural tendencies and emotional reactions.

A typical hacker might look for software vulnerabilities to access a computer network. In contrast, social engineers tend to pose as technical support to trick an employee into divulging their login credentials. The fraudster hopes to pray on the employee's instinct to act first and think later.

Type of Social Engineering Attacks

Baiting

As with fishing, baiting is dangling something valuable in front of the victim, enticing them to take action.

Example:

The cybercriminal leaves a USB stick, loaded with malware, in a place where the target will see it. The USB might be labelled in a compelling way such as "Confidential" or "Bonuses". A target who takes the bait will plug it into a computer to see what is on it. The malware will then automatically inject itself into the computer.

Phishing

Phishing is a well-known method to get information form an un-knowing victim. Despite being well recognised, phishing remains a successful social engineering method of attack. The attacker sends an email or text to their victim, seeking information that they can use to help with a more significant crime.

Example:

The attacker sends emails that appear to come from a trusted source to the would-be victim. The source could be a bank asking recipients to click on a link to login totheir account.

Victims who click the link, are taken to a fake website, that appears, like the email, to be legitimate. When victims login to the fake site, they are essentially handing over their login credentials to the attacker.

Spear Phishing:

Spear Phishing is when the attackers' target -or "spear" -a specific person. The attacker can track down the name and email of an HR person within a particular company. The criminal then sends that person an email that appears to come from a high-level company executive.

Email Hacking & Contact Spamming

All of us will naturally pay attention to messages from people we know. Attackers try to take advantage of this by hijacking email accounts and spamming their existing contact lists.

Example:

When you receive an email from a friend with the subject, "Check this out, I think you will love it!", you might not think twice before clicking on it. By taking over someone's email, an attacker can make those on the contact list believe they are getting an email fromsomeone they know.

The main goals are spreading malware or tricking people out of their data.

Pretexting

The use of an intriguing pretext —or ploy —to capture a victims' attention. Once the narrative hooks the victim, the attacker tries to trick the would-be victim into providing something of value.

Example:

Victims receive an email, that names them as the beneficiary of a will. The email requests personal information to prove the victim is the actual beneficiary. Instead, that victim is at risk of giving a cyber attacker access to valuable information.

Quid Pro Quo

This scam involves an exchange. The attacker makes the victim believe it is a fair exchange, which is far from the truth as the attacker always comes out on top.

Example:

The attacker calls the target pretending to be a support technician. The victim then hands over the login credentials to their computer, thinking they are receiving technical support in return. Instead, the attacker can now take control of the victim's computer, loading it with malware or, perhaps, stealing personal information from the computer to commit identity theft.

Vishing

Vishing is the voice version of phishing. "V" stands for voice, otherwise, the scam attempt is the same. The attacker uses the phone to trick a victim into handing over valuable information.

Tips to Avoid being a Social Engineering Victim

Consider the Source

A found USB is not a good source to insert in your computer.

Double-checking a text or email from an apparently trusted source

Slow Down

Attackers often rely on their victims to act without thinking. Slowing down and thinking about a request you receive in person or online can save you a lot of pain.

If it sounds too good/odd to be true

It probably is. Don't click on a link or divulge information to someone who is promising you an inheritance from a prince.

Install an anti-virus or security suite

Many tools were developed and are continually being updated to help keep you and your computer safe against cyber attackers. Make sure you invest in high-quality security software.

Your email software can help you

Email software often knows when an email is a spam message. Keep a lookout for what your email software is telling you about the emails you are receiving.



More Blogs