The term “social engineering” refers to a wide range of malicious activities involving human interaction. Users are fooled into making security mistakes or giving away sensitive information through psychological manipulation.
There are several steps involved in social engineering attacks. Cyber attackers start by investigating the intended victim in order to gather background information, such as potential points of entry and weak security protocols. After gaining the victim’s trust, the attacker moves toward obtaining sensitive information or gaining access to critical resources, or revealing sensitive information.
In contrast to software or operating system vulnerabilities, social engineering relies on human error. Unlike malware-based intrusions, legitimate user mistakes are much less predictable, making them harder to detect and stop.
What examples of Social Engineering are there?
While you may know many of these scams already, we can better understand the threat social engineering poses to us online and in person by seeing just how varied they can be.
Known as the advance fee scam or the 419 scam, the Nigerian scam is a prime example of social engineering. A scammer would pretend to be a government or bank official, or a businessman who needs to transfer money from a frozen Nigerian bank account to an overseas bank account, in exchange for a commission. Several million dollars can sometimes be offered as a commission in order to lure the victim. The perpetrator then convinces the victim to send a small amount of money for taxes and legal fees associated with the transaction. As soon as the victim sends the money, the scammer disappears. Sometimes, the scammer will ask for more money for unexpected costs such as tax increases or bribes to government officials.
Have you ever come across an offer that seemed too good to be true? A truck driver from Yorkshire, England, attempted to sell one of London’s most iconic landmarks, the Ritz Hotel, in 2010. Despite the luxurious hotel’s actual value being much higher, Anthony offered to sell it for 350 million pounds. Before being jailed for the outrageous scam, he managed to trick unsuspecting buyers into depositing one million pounds.
The sophistication of social engineering and cyber security risks has increased in recent years. In recent years, social engineering attacks have evolved into one of the biggest cyberthreats for individuals and organizations alike.
Attack techniques used by social engineers
Social engineering attacks can take many forms and occur anywhere where humans interact. Five of the most common forms of digital social engineering are listed and explained below.
In baiting attacks, false promises are used to pique the curiosity or greed of a victim. Users are lured into a trap that steals their personal information or infects their systems with malware.
A common form of baiting is the dissemination of malware via physical media. The bait, typically malware-infected flash drives, is usually left in conspicuous locations where potential victims are sure to see it (e.g., bathrooms, elevators, parking lots). An authentic appearance is given to the bait, such as a label that presents it as the payroll list for the company.
Out of curiosity, victims pick up the bait and insert it into their home or work computers, resulting in malware being installed automatically.
Baiting scams don’t have to be conducted physically. An example of online baiting is enticing ads that link to malicious sites or that encourage users to download malware-infected software.
Scareware bombards victims with fictitious alarms and threats. The user is deceived into believing their computer is infected with malware, resulting in them installing software that has no real benefit (other than for the perpetrator) or is malware itself. The term ‘scareware’ may also be used to describe deception software, rogue scanner software, or fraudware.
Scareware is often characterized by legitimate-looking popup banners in your browser while you surf the web, displaying such text as, “Your computer may have been infected with malicious spyware.” It will either offer a tool to be installed (often malware-infected) for you, or you will be directed to a malicious website where it will infect your computer.
A number of scareware distribution channels, including spam emails, offer users worthless/harmful services by delivering false warnings.
In this case, an attacker obtains information by constructing clever lies. Perpetrators often pretend to need sensitive information from victims to complete critical tasks.
In order to establish trust, the attacker usually impersonates co-workers, police, bank and tax officials, or other persons who have right-to-know authority. A pretexter gathers sensitive personal information by asking questions that are supposed to confirm the victim’s identity.
Through this scam, all sorts of personal information is collected, including social security numbers, addresses, phone numbers, vacation dates, bank records, and even security information related to physical locations.
Email and text message phishing scams are popular types of social engineering attacks designed to create a sense of urgency, curiosity, or fear in victims. They are then prodded into revealing sensitive information, clicking on links to malicious websites, or opening malicious attachments.
A user of an online service might receive an email alerting them to a policy violation requiring immediate action, such as changing their password. Users are prompted to enter their current credentials and a new password on an illegitimate website that almost resembles the legitimate one. Information is sent to the attacker upon form submission.
Due to the fact that phishing campaigns send identical or nearly identical messages to all users, detecting and blocking them is much easier for mail servers with access to threat sharing platforms.
In this form of phishing, an attacker chooses specific individuals or organizations to target. To make their attack less noticeable, they tailor their messages based on the characteristics, job positions, and contacts of their victims. Spear phishing is much more time-consuming and requires much more effort on the part of the perpetrator. In skilled hands, they’re harder to detect and more effective.
In spear phishing, an attacker might impersonate an organization’s IT consultant and send an email to one or more employees. By wording and signing the message exactly as the consultant does, recipients are led to believe it’s an authentic message. The message instructs recipients to change their passwords and provides them with a link that redirects them to a malicious website where their credentials are captured.
Tips for preventing social engineering
The social engineers use feelings like curiosity and fear to manipulate people and trick them into falling for their scams. Therefore, if you feel alarmed by an email, drawn to an offer displayed on a website, or see stray digital media lying around, be wary. You can protect yourself against most social engineering attacks taking place in the digital world by being alert.
Additionally, the following tips can help you become more aware of social engineering hacks.
Avoid opening emails and attachments from suspicious senders
Never reply to emails from senders you don’t know. If you know them and have suspicions about what they say, cross-check and confirm the news from other sources, such as by telephone or directly from a service provider. Even a message purportedly coming from a trusted source might have been initiated by an attacker. Make use of spam filters to identify emails that are likely to be spam. Depending on the spam filter, suspected IPs or sender IDs can be blacklisted, and suspicious files or links can be detected, as well as emails’ content can be analyzed to determine which may be fake. Email addresses are spoofed often.
Secure your user credentials with multifactor authentication
Credentials are one of the most valuable pieces of information attackers seek. In the event of a system compromise, multifactor authentication ensures the security of your account.
Beware of tempting offers
Think twice before accepting an offer that sounds too good to be true. The easiest way to determine whether you’re dealing with a legitimate offer or a scam is to search the topic on Google.
Maintain your antivirus/anti-malware software
Enable automatic updates, or download new signatures first thing every morning. You should periodically make sure that the updates have been applied, as well as scan for potential infections on your system.
Educate your staff on psychological triggers and other giveaways
Since social engineering attacks are not always easy to detect, understanding their tactics is crucial.
You should train your staff to:
- Never trust unsolicited communications or unknown individuals.
- Verify that emails are coming from the stated recipient (double-check the sender’s name and look for spelling errors or other illiteracies).
- Avoid opening attachments in suspicious emails.
- Consider the sensitivity of information before sharing it.
- Be sure that a website’s security is up-to-date before submitting information; and
- Watch out for typosquatting – sites that look genuine but have subtly different URLs than the legitimate sites they imitate.
Training in security awareness should not be done on a one-off basis. Regularly assess the effectiveness of the training and redeploy it if necessary.
A simulated phishing attack, in which controlled phishing attempts are made against your staff, can demonstrate how susceptible they are and how much your organization is at risk. Using this information, you can retrain those who need it most, thereby reducing your exposure.
Protect your Business
Would your business be able to withstand a hacker’s attack? Small businesses in Markham, Richmond, and the Greater Toronto Area trust us to manage their cybersecurity and compliance needs. If you’re designing a cybersecurity system from the ground up or just looking for risk mitigation and fortification, we can help.
Take advantage of our experienced professionals’ knowledge when designing your IT cyber security solutions. As an award winning Toronto cybersecurity consulting firm specializing in small business, we’re ready to help you. Contact us now.