What is Social Engineering? | Attacks | Prevention

March 3, 2019 by Shigraf Aijaz

With spending half of my life working up as a cyber-security journalist, social engineering has been the gist of my work. Now I get it! You all must be wondering “social engineering and cyber-security? That sounded like a social work support thing! What does that have to be with cyber-crime?”

Yeah well ever had a malware attack by clicking on sneaky pop-ups while surfing online? Yeah, that’s what social engineering is! Not much of a supporting thing, yeah?

Before I proceed with anything, let me explain about social engineering is.

What is Social Engineering?

Social engineering is known as the art of psychologically manipulating someone to give up their private information. A social engineer works to exploit fundamental human nature and plays on the victim’s instincts.

It is the most popular method of hacking amongst criminals as it is far easier to manipulate someone’s weaknesses rather than invading into a software system.

How might a Social Engineer operate on you?

With this established that social engineering works by playing with a person’s general instincts, the food for thought here is how a social engineer can orchestrate an attack?

Remember the famous movie “the sting”? The one on two con men (confidence men) working up ways to scam a multi-millionaire mobster (Mark)?

The two orchestrate an elaborate scheme where they use the general information they knew about the mobster. They further used this information to gain his trust through various antics.

The movies play out to Mark trusting the two con men, and the two con men eventually end up scamming him.

Similarly, as portrayed in the movie, this is exactly how a social engineer works up through some tactics to organize an attack. The first and foremost work required is to research and gather up information about the target.

As these attacks are usually targeted at large-scale corporations, so the planning starts with research on the company’s employee structure, internal affairs, the working of the company, business partners, shareholders as well as some other information.

Another way a social engineer can infiltrate a company is by studying and observation its ground level employees such as the security guards or the receptionists.

Hackers can also look them up on social media and get all their personal information as well as study their behavior online and in person.

This information is then used to find out the flaws and vulnerabilities that can be used to carry out the attack.

These attacks can be used to find out debit card information, bank account details, and other sensitive information or it can be used to gain access to secure systems and networks.

6 Faces of a Social Engineering Attack

A social engineering attack occurs in various ways and can happen wherever there is human interaction.  Here I have mentioned six types of social engineering attacks to make it easy for you to identify possible attacks:

1. Phishing

Phishing is the most commonly used method and is for a large target audience. It involves sending emails with either a fake or a fairly legitimate email address. It may also contain what looks like a piece of authentic company information.

The email may contain a link, document or files that are with malware which infects the device as soon as the user clicks on them. Phishing attacks are used to gain sensitive user’s information such as credit card information, usernames, passwords, bank account details, etc.

2. Spear Phishing

This technique involves targeting a specific person, or enterprise. The hacktivist then drafts the emails according to the characteristics, job descriptions and contacts of the victim so that the attack seems to be pretentious.

Spear phishing is relatively technical and requires much work from the person who needs to pull off this attack. At times it may take weeks or months to go through with it thoroughly. These attacks, if conducted skilfully are hard to detect and are often successful.

One example of spear phishing may be a hacker posing as the CEO of a company. He could craft an email to make it seem like an email from the CEO and send it to the finance department head demanding the transfer of some money into a fake account.

The email is carefully crafted to make it seem original which requires much time as well as hard work.

3. Vishing

This is the vocal version of phishing. The work here is not necessarily online and occurs through voice email, VoIP( Voice over IP) or a landline or cellphone.

The purpose here is the same while there is a difference in methods. Just like phishing, it is used to extract a victim’s sensitive information.

A vishing scenario may go on with a victim receiving a voice message, stipulating that suspicious activity has taken place in the credit card account, bank account, etc.

The victim is told to call a specific number where he is asked to give in more information in the name of “identity verification” or “ make sure the fraud didn’t occur.”

Vishing is particularly untraceable and is often carried out on foreign numbers making the law enforcement powerless.

4. Pretexting

A series of carefully crafted lies are used to carry out this method. The victim is lied to from the attacker to gain personal information.

The pretexter starts by gaining the trust of the victim by acting as a co-worker, bank official, police officer or anyone of authority that a person may rely on.

Seemingly essential questions that are required to confirm a person’s identity are asked, which leads to the victim giving in most of the crucial data.

Through this scam, the attacker manages to acquire all sorts of relevant information such as social security number, bank account details, personal addresses, security details, etc.

5. Baiting

Ever gone fishing? Yeah while catching a fish you throw in the string with a worm and then wait for the fish to come. That is precisely what baiting is.

Similarly in the cyber world baiting as the name implies it is using false promises to grab a person’s interest. Once the criminal manages to grab their interests, he proceeds to lure them and catch them in a web that steals their personal information or infects them with malware.

Typically criminals use the physical media to sprinkle malware. This is the crudest form of baiting. A malware-infected USB or flash drive is left around, at a conspicuous place where a victim is bound to come across it.

It may be in a bathroom, elevator, parking lot of a victim company, etc. The engineer crafts the bait to look catchy and authentic as its main function is to attract a victim.

It could have a label presenting a list of employees that are to get a promotion or the company’s payroll list etc. the victim out of curiosity grabs the bait and inserts it into a computer. Once the victim enters the flash drive or the USB, it started downloading and installing the malware and this way the baiting attack is successful.

Another way baiting occurs is the online method. This involves a victim clicking on catchy advertisements or pop-up links that lead to malware infecting or information theft.

6. Scareware

Scareware method again involves lies. The victim continuously gets prompts of false alarms and counterfeit threats. This tricks him into thinking that the computer has malware or have illegal content downloaded.

The hacker then provides the victim with a solution that would inadvertently fix the false issue. However, this “solution” offered to the victim is, in reality, a malware that the user installs.

Scareware attacks are usually in the form of pop-ups you often find online with scary texts such as “ your device may be infected.” These pop-ups proceed to offer to download a tool that is, in reality, a malware released to infect your device.

The tool may also be a useless application, and the user only gets its prompts so that he downloads it and it gets the opportunity to steal his data.

Apart from pop-up links scareware is also spread about using spam emails that come with bogus warnings or prompt users to buy useless or harmful services.

5 Ways to Prevent Social Engineering

Social engineering attacks are widespread nowadays which is why it is somewhat crucial to try and stay safe from them. I have taken  the liberty to  compile a list of ways which can help you stay secure from social engineering attacks:

Use updated antivirus/anti-malware

Antiviral and anti-malware software help protect your device. However, it is particularly crucial to keep your antiviral and anti-malware software updated with regular updates.

If the user regulalry updates the software, it provides better protection. You should also periodically scan your device to stay even more protected.

Don’t open emails from unknown sources

The most frequent gateway to social engineering attacks are emails. It is better to stay vigilant and steer clear of emails or attachments from undiscovered resources.

Email spoofing is very common. This is why it is better not to respond to unknown emails or open up attachments sent from them. It is better to cross check the message received from hidden resources.

Furthermore, it is better to stay alert and not open up any attachments that look suspicious to you as they may  contain malware or virus.

Stay educated and educate

We live in a fast-paced world which is continuously moving forward. With advancements in every field, the methods of hacking are also getting frequent updates. With this in mind it is better to stay updated with the promotions.

Furthermore, as social engineering attacks can also target companies, it is better to educate your staff. This can allow the staff to stay vigilant and your company stays protected.

Take care of your privacy

Be careful before responding to requests for passwords or other personal information. It is better to re search the source before replying.

Sources asking for passwords or other personal information are often scams. Therefore, it is better to steer clear from them or second check resources before responding.

Stay wary of offers for help

Social engineers may often pose as tech support personals to invade your device with malware or steal your personal information.  At times they may request your assistance for information or offer for help.

If you did not request for help, it is better not to respond to such requests. It is also safe to double check from a trusted source. Do your research before sending out any personal information.

Well aware now?

Now that you  have received enlightening information of the prevention tips it is better to steer clear from these attacks. You could now start by working on the prevention tips to stay as safe as possible! Privacy is particularly crucial in this work, and you should work on how to protect it.

Leave a Comment