What is Social Engineering?
We talk about software vulnerabilities a lot, and the human versions of those are our emotions. When people are faced with frightening scenarios, their first impulse is to act first and think later. This is the exact “vulnerability” that social engineers depend upon for a successful attack.
Types of Social Engineering Attacks
Social engineering is a way that cybercriminals use human-to-human interaction in order get the user to divulge sensitive information. Since social engineering is based on human nature and emotional reactions, there are many ways that attackers can try to trick you- online and offline.
Humans are curious creatures. This is essential in this scenario. The cybercriminal will leave a device such as a USB stick that is infected with malware out in the open in a public place. Someone will pick up that device, and plug it into their computer to see what’s on it, and then the malware will inject itself onto the computer.
The oldest trick in the cyber-book, but still one of the most successful. Cybercriminals will try to use a variety of methods to try and trick you out of your information. Scare tactics seem to be the most popular amongst criminals, as it presents the user with an urgent scenario, usually involving a banking or another online account. It relies on users making fear based decisions based on how they feel rather than think about the scenario for a moment. Other versions of these emails will appear to be from an authority figure, such as a higher up in your company requesting your user name and password so he can log into a system. People will naturally comply when a request comes from a coworker, especially one that is higher up in management. Sense of urgency is also a popular tactic used in phishing. I’m sure you’ve seen those emails for deep discounted products that are in limited quantities. It sounds like a great deal and it gives the user the feeling that they need to act urgently, therefore making decisions based on poor impulse control.
Email Hacking and Contact Spamming
It’s in our nature to pay attention to things we get from people we know. If my sister sent me an email with the subject of “Check out this site I found, it’s totally cool,” I wouldn’t think twice about opening it. This is exactly why these cybercriminals go after email addresses and passwords. Once the criminal gets those credentials, they are able to take over the account and then will spam all of the contacts in the users’ address book. The main objective is to spread malware, trick people out of their personal data and more.
Pretexting is when the cybercriminal comes up with an elaborate story in order to create a scenario they can “hook” their victims with. Sometimes it’s a sob story about being stranded in a foreign county, or that they’re some prince in some unheard of county whose father just died and he needs 500 USD in order to become king. These types of scenarios play on people’s inclination to be helpful to others in need. Pretexting is used often in tandem with a lot of these other methods, as most of these scenarios need some sort of story to catch the attention of the target, or the attacker is impersonating someone on the telephone.
Quid Pro Quo
Something for something. Enticing the users with winning prizes or discounts on expensive products, this scam offers users “something” but only after they fill out a form that wants you to include most of your personal information. Then all of that data collected is used for identity theft.
Phishing’s more complex cousin, spear phishing is more of a campaign targeted at employees of a specific company that a cybercriminal is attempting to steal data from. The criminal will choose a target within the organization, and then do some research online about their target, gleaning personal information and interests from Internet searches and social media profiles. Once the criminal has a sense of their target, they will then start to send emails that seem personally relevant to the victim in order to entice them to click on a malicious link that hosts malware or download a malicious file. Sure, we all check our personal emails and social media while on our company’s network, which is what the cybercriminal is depending upon. Once the user has been successfully tricked, the malware is then installed on the computer on the network, which will allow the malware to easily spread to other computers within the company’s network.
Vishing involves the most human interactions of all of these methods. The criminal will call an employee within a company posing as a trusted individual, or they could be posing as a representative from your bank or another company that you do business with, and then will try to fish for information from their targets by posing as a fellow employee that has lost their password and requests yours, or they may ask you a series of questions to verify your identity.
Social engineering can be performed in two ways: a single attack, like a phishing email; or in a more complex way that is usually aimed at institutions. These two methods are called hunting and farming.
Hunting is the short version of these attacks. Usually, cybercriminals use phishing, baiting, and email hacking with the goal of extracting as much data as possible from the victim with as little interaction as possible.
Kind of like a “long con,” the cybercriminal seeks out a way to form a relationship with their target. Usually they look at the target’s social media profiles and try to form a relationship with them based on the information they learned when researching their target. This type of attack also heavily relies on pretexting, as the attacker aims to string along the victim for as long as possible in order to extract as much data as possible.
Social engineering is everywhere, online and offline. It is so extremely successful because of the one element involved that we can’t install security software on- the human being. Your best defenses against these kinds of attacks is educating yourself and being aware of what to be on the lookout for.