What is Social Engineering?
Social engineering refers to the psychological manipulation of people into revealing confidential information or performing actions for the purpose of fraud, access to the system or gathering information. Many social engineering exploits simply rely on people’s commitment to be helpful.
Attackers can exploit their victims in various ways, several techniques are used:
- Via email
- Over the telephone
- In person (by impersonating someone)
- Through a Social Networking Site
Common types of social engineering attacks:
Scareware: This involves misleading the victim into thinking their computer is infected or has a problem. The attacker then offers the victim a resolution that will fix the false problem. What actually happens is that the victim downloads the attacker’s software gaining them access to their machine. From here they have control and access to anything they wish, for example stealing confidential details, funds and more.
Phishing: Phishing occurs when cybercriminals send a fraudulent email or social media message, disguised as a legitimate message, to trick the recipient into providing personal or financial information which can then be used for fraud. Phishing scams usually show the following symptoms – threats and sense of urgency to influence a prompt response from the victim, hunting for private information or by disguising links to redirect users to untrustworthy websites.
Spear phishing: Spear phishing is similar to phishing, but tailored for a specific individual or institute. Imagine you receive an email from a friend with a link for an online article. Although the URL may look genuine by clicking on the link you may have just opened the door for the cyber-criminal to gain access into your network.
Baiting: Baiting is similar to phishing attacks in many ways. What differentiates them from other methods of social engineering is the hackers tempt their victim with the assurance of a product or goods (E.g. offering users free movie or music downloads if they submit their sign-in credentials to a specific site). Baiting is when an attacker leaves a malware-infected physical device in a place it is likely to be found by the victim. The finder then loads it onto their computer, unintentionally installing the malware.
Pretexting: The attacker concentrates on constructing a false scenario which they can use to attempt to retrieve personal details from the victim. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient. Or imagine you receive a call from someone from a reputable sounding research firm asking you to participate in a survey. The questions they ask seem harmless (the name of your phone company, investment firm, and even your pet’s name). Pretexters may also claim to represent banks, government agencies, Internet Service Provides plus many more.
How to protect yourself
Overall it mainly comes down to being cautious and observant. For businesses training your staff and making them aware of the dangers is crucial. Individuals need to be extra vigilant and never give out any confidential information.
How you can avoid social engineering schemes:
- Email Awareness – Do not open any emails from unknown sources. In the event of receiving a message which seems out of character ensure you contact that person directly by phone or in person.
- If an offer appears too good to be true, it probably is. Do not accept offers from strangers.
- Lock your computer when you are not using it
- Security – check you have a reliable anti-virus software installed. No anti-virus can shield against every threat but it can certainly help to keep you protected.
The use of social media like Twitter, Facebook, Instagram, LinkedIn and others have been progressively growing. Not only are they used for connecting between individuals but also for businesses linking with their clients. Hackers use social networking sites to contact the target. They then begin communicating with the victim and steadily the hacker gains information and then uses it to gain access to sensitive data.
Businesses must take extra care in their security training regarding all aspects of social media. In particular with LinkedIn and Twitter which are ideal sources for hackers planning to strike.
By gathering information about a company and name dropping it into a direct message conversation, attackers may build a level of trust with insiders and thus gain inside information.
There are policies which businesses can apply:
- Advise staff not to use their work email address as an account ID for social networking sites.
- Never use the same account name and password combination for multiple services.
- Websites often ask users to answer secret questions like the school you attended, or where you grew up. Don’t expose this information on social media.
- Encourage employees to limit social media posts to personal interests, and not related to their work or co-workers.
- By no means share company information with strangers or long-time connections on LinkedIn or any other social media.
- Always ask for a number to call back or email address from anyone requesting information and forward the request to security.
- If you use LinkedIn only connect with people you truly know. Social Engineers create bogus, legitimate-sounding profiles on LinkedIn and connect to hundreds of people in a particular industry to appear legitimate.