Social Engineering, also known as Social Manipulation, is one of the most widespread cybersecurity attacks affecting a large proportion of Internet users.
Social Engineering implies that hackers take advantage of human weakness rather than a vulnerability in the technological system in order to plan and execute attacks. The end goal being to manipulate someone into divulging their sensitive information or compromise access to data networks in an organization.
For example, you meet an intruder who is posing as an IT helpdesk staff and he tricks you into sharing your username and password. The intruder could use these credentials to log in and access your organization’s data center and cause a large-scale breach of privacy and data.
A real-world example can be seen in the 2019 spear-phishing attack where scammers were able to hold the city of Ocala, Florida ransom for more than $500,000. An Ocala employee got an email from an address that claimed to be of that her superior, asking to initiate an electronic money transfer to a specific account. The employee believed that the mail came from her superior and she therefore made the transfer. Later it was revealed that the e-mail was fraudulent and the account didn't belong to anyone concerned with the city of Ocala.
Attacks like these happen because hackers know how to play with the human tendency to trust. They know that a carefully crafted e-mail, voicemail, or text message can convince people to send money or provide sensitive information. Hackers also target many people at the same time, meaning even with a smaller rate of success, they can make a quick, easy, and substantial amount of money.
Social Engineering attacks can occur in multiple ways. To defend against these different methods of attacks, the organizations must have different prevention mechanisms. Below we discuss several types of social engineering attacks:
Baiting is comprised of creating a trap for the victim using the victim's curiosity to steal information, compromise the system or steal money. For example, you can stumble on a USB stick one day and your curiosity might lead you to put it in your system. It might not occur to you at first, but the USB stick might be infected with malware and that can crash your entire system. In fact, there are some USB drives that charge themselves from the USB ports in your computer and then use this charge to cause a power surge in your computer, damaging the device altogether.
This type of social engineering attack looks harmless at first as it utilizes familiar pretexts to garner the attention of the victim. For example, you can find an online form that asks you to fill some general information. Once you fill out that form, you will receive another form where you will be asked to input more sensitive information such as your debit/credit card numbers, security code, and bank account details because of trust instilled by the first.
Perhaps the most common type of social engineering attack, known as phishing attacks, involve a text message or an email that appears to be coming from a source you trust. For example, you might receive an email that resembles a communication from your bank. Most times, these emails will consist of a link that will take you to a suspicious website where it will ask you to fill in your banking details. The hacker will then record the login information and then use them to login to your net banking account .
A specialized form of phishing is known as spear phishing. This can be seen when an employee receives a fake email from his/her superior and he/she is tasked to perform a money transfer. The example shared above in the blog was an example of spear phishing. Other types of phishing include vishing and smishing. Cybercriminals use SMS text messages to mislead their victims into providing sensitive information and in the case of vishing attack, criminals attempt to trick victims into sharing sensitive information over a phone call or using voice message.
This type of social engineering attack takes advantage of a victim’s fear, anxiety, or the perception of a threat and manipulates the users to download or buy malicious, sometimes useless, software. A scarecrow can come in form of a pop-up window telling people that their computer is out of date or its hacked and they need to update it by clicking on a link present in the window urgently. The specified link is malicious so that when a user clicks on it, it downloads malware that can cause damage to the system.
The Gartner Magic Quarter Quadrant for Security Awareness Computer-Based Training states that "People affect IT security outcomes of an organization more than any technology or processes". In fact, human error is the single greatest cause of security and data breaches around the world. Educating ourselves on the various social engineering attacks and adhering to certain guidelines can help us identify these attacks and allow us to take appropriate steps.
Below we will explore the different ways you can protect yourself against social engineering attacks.
1. Remove/ do not accept any personal information or credentials requests. No one should contact you unsolicited for personal information via email or over a phone. It's a trick if you get asked for it.
2. Reject help demands or offers of assistance. Social engineer attackers may and will either request your knowledge assistance or offer to assist you (e.g. posing as tech support). If you have not asked the sender for any help, consider any requests or bid a scam. Before you commit to sending them something, do your own research about the sender.
3. Set the spam filters to a high level. There are spam filters on your email program. To stop malicious messages coming into your inbox, check your settings and set them high. Only remember to regularly review them, as valid messages can be stuck there from time to time.
4. Protect your gadgets. Your anti-virus applications, firewalls, and email filters are frequently installed, maintained, and updated. If you can, set up automatic updates and just access protected websites. Think VPN.
5. Always be aware of threats. Ensure due diligence on every request you receive. If you are affected by a recent hack, look out for an IT security expert and read cybersecurity news about recent cyber-attacks to take quick action. To keep yourself updated with the latest in IT security , such as Cyware or BetterCloud Monitor, you can subscribe to newsletters curated by reputed agencies such as Decrypted by Bloomberg, DIY Cyber Guy, and Respond All, etc.
Be sure to take a moment to check whether the source is legitimate first when you get an extremely urgent, high-pressure communication.
To see if messages/emails are legitimate, check the domain links, and if they are actual members of the company, the individual sending you the email. A typo/spelling mistake is usually a dead giveaway. Use a search engine, go to the website of the company, check their phone list.
Even if the sender seems to be someone you are familiar with, checking with them if you are not expecting any email connections or files from them is always the best practice.
Don't fall prey to prizes and offers. One example is the Nigerian prince promising a fortune.
Social engineering is very dangerous because it takes circumstances that are perfectly natural and manipulates them for malicious purposes. However, you'll be much less likely to become a target of social engineering by being completely conscious of how it operates and taking simple precautions.
Lastly, give your digital footprint some consideration. Over-sharing online personal information, such as through social media, will assist attackers. By pointing to recent events you might have posted on social networks, certain social engineering attacks may try to gain legitimacy.
ISSQUARED editors publish insights, articles, and news on emerging technologies and innovations across Cybersecurity, Cloud, Hyperconvergence, Edge Computing, Identity Management, Unified Communication, and many more. We aim to provide thoughtful and actionable technological information for today’s IT decision-makers and help them reduce the risk of making the wrong decision by relying on data and experts analysis.