• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » What is social engineering?

What is social engineering?

by Justinas Mazūra
28 July 2020
in Security
0
social engineering
0
SHARES

Social engineering is the act of manipulating people into revealing confidential information. Fraudsters may impersonate someone else or steal other people’s identities to create a false sense of trust in their victims. 

Social engineering is often the primary method of infiltration in a larger criminal scheme. Tricking people is usually easier than finding a security vulnerability in a target company’s security measures. Social engineering helps to acquire administration passwords or other highly classified data, to install malicious software in company servers, and more. It’s one of the most effective attack methods because it targets the human link, thus bypassing even the most advanced forms of security. It’s also dangerous because it’s much harder to detect. After all, the victim doesn’t even realize that he was scammed.

How does a social engineering attack look like?

Most successful social engineering attacks are planned in advance. The attacker has to gather enough data about the victim, for example, their credentials and position in the company. Nowadays, this isn’t hard to do – much of this necessary information is publicly available via LinkedIn, the company site that displays an internal chain of command, etc. All of this makes it easier for a perpetrator to impersonate someone in an interaction with an employee.

After the fraudster has enough data to spin a story, they move in with a plan, initiating contact with the victim. This can happen either online or in person. The social engineer creates a convincing reason why they need documents, administrator rights, passwords, or other sensitive details. They may present themselves as a server room technician reacting to a call, etc. If done convincingly, the fraudster can often make the victim believe their story, giving them a way in.

Once the perpetrator acquires a target, they have to cover their tracks. The goal is not to raise suspicion, making it seem as if nothing ever happened. Scamming disguised as “business as usual” is what an example of social engineering attacks looks like in real life.

If you’re thinking this only happens in movies, you couldn’t be more wrong. In 2013, when Yahoo employees fell for an email message sent by a social engineer, hackers compromised every single customer account at the company. That’s more than 3 billion Yahoo Mail accounts that ended up for sale on the dark web. It’s one of the most massive breaches of all time, and it was the result of social engineering. Check our tips how to protect your identity online.

Top 6 Types of social engineering attacks

Social engineering has many forms depending on whether it’s performed in person or online. It will always exploit human interaction as a weak point, but there are some nuanced differences. Here’s 6 social engineering examples:

1. Baiting

Baiting relies on the victim to go into a trap on their own due to curiosity or greed. The results may vary – for example, the fraudster may lead the target to a malicious website, installing malware on their computer.

There are real-world examples when attackers leave flash drives with company logos with notes like “payment logs.” Most people will grab a free flash drive, and they will be curious to look at the files on it, which means they will happily plug it into their drives. Once that happens, the flash drive launches a pre-configured script on the drive that will compromise their computer, often logging keystrokes or stealing data in the process.

A common online example of baiting involves ads that lead to malicious sites, download links that are disguised malware, etc. In simple terms, baiting is like leaving a rake out in the open and hoping that someone will step on it.

2. Phishing

Phishing scams are the most popular form of social engineering and use email or message genuine-looking campaigns that invoke a sense of urgency or fear in victims. This tricks users into clicking on malicious links, sending money to scammers, or opening attachments with scripts.

An example would be an email from your bank that asks you to log into the new version of their site and requiring an immediate password change. Once you type in your login credentials, your data ends up in the attackers’ hands and may be used to clear your real bank account or get some more information from customer support.

3. Email hacking and contact spamming

The principle behind this sort of attack is twofold. First of all, the attacker acquires an email address and its login credentials. This often happens as a result of massive data breaches. The fraudster then logs in and sends an email to your contacts by pretending to be in distress and requiring you to open a file or send some money. The recipients, seeing that their close friend is in trouble, won’t doubt the legitimacy of these claims – something they will come to regret later.

4. Vishing

Vishing is a form of phishing, but it uses interactive voice response systems to recreate a legitimately sounding copy of some institution’s IVR system. The victim is usually prompted to call it and verify some information. Typically, multiple password verifications will be rejected to retrieve several passwords belonging to the same user, which could compromise even other accounts belonging to the victim. In most extreme cases, IVR could be combined with impostor customer service agents that double down on the information stolen.

5. Spear phishing

Spear phishing is a heavily-targeted social engineering attack that targets particular individuals or enterprises. This type of attack tailors the email message to appear as close to real as possible using information like the victim’s exact employment position, work functions, daily routine, etc. Planning this type of attack might take weeks or months to successfully pull off, but if done skilfully, it can do great damage. A spear-phishing message might be worded exactly like many other requests and even sent through common channels, thus deceiving the victim about its authenticity. The above-mentioned Yahoo Mail attack was a high profile spear-phishing attack.

6. Tailgating

Tailgating exploits a common workplace courtesy when fraudsters gain access to unauthorized areas by simply walking behind someone who has access. Out of common decency, most people will hold the door (or even open it, believing the attacker has lost their ID or access card). There are many workplace realities a skilled social engineer can use to his advantage. For example, due to fire hazard regulations, people need to be able to quickly leave the building.

7 tips on how to protect yourself from social engineering

  1. Think before you act. Attackers create a sense of urgency because they want their victims to recklessly make snap decisions. You should always stop and verify. If your friend is suddenly asking you for money, call him on the phone, ask if he really sent the message.
  2. Check the message for legitimacy. If you received an email and something about it seems off, it probably is. Verify the domain names, they could end in .co or .con rather than .com. Typos, other spelling errors will be a clear giveaway that it’s an attempt at a phishing scam.
  3. Don’t trust senders you don’t know. If you’re not expecting anything, don’t open any files you’ve received. Especially if they are marked with urgent flares.
  4. If you didn’t participate but have won in the lottery, or a Nigerian prince is offering you money, then chances are you’re being scammed. Trust that if something seems too good to be true, it probably is.
  5. If you’re unsure if some website is genuine or a phishing attempt, look for CA certificates, especially if you’re connecting to banking sites.
  6. Use 2FA authentication as a measure, should your password end up out in the open. You can periodically check your account for the latest security breaches and learn whether you’re affected. Scammers can use credential stuffing to take over your accounts, which can be used for contact spamming.
  7. One of the ways how an organization can prevent social engineering attacks is to have an active risk management division. Actively monitoring weak points in your business infrastructure for infiltration routes and reinforcing the security in those areas is just one of the ways it could be done. Providing employees with information about the subject can help them recognize undergoing social engineering attacks and prevent the impact of a coordinated attack.
ShareTweetShareShare

Related Posts

Covid-19 vaccine

Covid vaccines are now an excuse to launch phishing attacks

22 January 2021
MyFreeCams data leaked on hacker forum

MyFreeCams hack: 2 million user records stolen from top adult streaming site and sold on hacker forum

21 January 2021
Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Telegram app on mobile

Watch out: there’s a new Telegram scam about

15 January 2021
Next Post
flags of China and USA

Why there are no winners in a tech cold war between China and the West

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    83031 shares
    Share 83021 Tweet 0
  • 8 best cybersecurity podcasts for 2021

    56 shares
    Share 56 Tweet 0
  • Facebook is tracking you: learn how to delete all Facebook data

    56 shares
    Share 56 Tweet 0
  • How to find what Google knows about me and get back my privacy?

    0 shares
    Share 0 Tweet 0
  • Most common passwords: latest 2021 statistics

    381 shares
    Share 381 Tweet 0
Elon Musk

Elon Musk to offer $100 million prize for ‘best’ carbon capture tech

22 January 2021
Is there life on Mars?

Is there life on Mars?

22 January 2021
Covid-19 vaccine

Covid vaccines are now an excuse to launch phishing attacks

22 January 2021
Alphabet shutting Loon, which used balloon alternative to cell towers

Alphabet shutting Loon, which used balloon alternative to cell towers

22 January 2021
what is wireguard

WireGuard protocol: everything you need to know

22 January 2021
Parler loses bid to require Amazon to restore service

Parler loses bid to require Amazon to restore service

22 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • In the News
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!