Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access.
In a social engineering attack, an attacker uses social skills (human interaction) to obtain or compromise information about an organization or its computer systems. An attacker may seem respectable, claiming to be a new employee, support/repair person for instance and even offering credentials to support that identity. However, by asking questions and interacting, he or she may be able to piece together enough information to infiltrate an organization’s network.
That’s an art of human hacking.
Why social engineering
Many social engineering exploits simply rely on people’s willingness to be helpful (We are human).
Criminals take advantage of this and use your trust since it is hard to discover ways to hack your software or passwords. For example, it’s easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is weak).
There is no patch for a human error, it has become difficult to fully secure networks since the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks are on your doors, burglar bars, dogs, alarm systems, fence/wall and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you expose yourself to whatever risk he represents.
Criminals seek different types of information like passwords, bank details, or access to your computer to secretly install malicious software which will give them control over your computer.
Popular types of social engineering attacks:
Phishing is the most common type of social engineering attack used today. The attacker sends a fraudulent email, IM, comment or text message disguised as legitimate, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
Spear phishing is phishing, which is targeted and tailored to a specific person or organization.
Baiting is when an attacker entices victims like leaving a malware-infected physical device, such as a USB flash drive in a place where it will be easily found like a parking lot, reception, toilet etc. The finder then picks up the device and plugs it into his or her computer, thereby unintentionally installing the malware on the device.
Pretexting is when one party lies to another to gain access to privileged data. The attacker creates a good pretext, or a fabricated scenario, that they can use to try to steal their victims’ personal information. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target. For example, a pretexting scam could involve an attacker who impersonates an external IT services auditor or support staff and manipulates a company’s physical security staff into letting him/her into the building.
Tailgating or piggybacking attacks involve someone without proper authentication following an employee into a restricted area. Attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk and or any security barrier like door access control systems
Scareware involves tricking the victim into thinking his computer is infected with malware. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is tricked into downloading and installing the attacker’s malware.
How to avoid being a victim
- Never use phone numbers from the email. it is easy for a scammer to pretend you’re talking to the right person. Let’s say you receive an email from an attacker purporting to be from the bank requesting you to confirm your banking details, if you call the number on the phishing email, the attacker will answer the phone like it’s the real bank you are calling.
- Curiosity leads to careless clicking if you don’t know what the email is about. Clicking links is a poor choice. Pay attention to the URL of a website. You can hover your mouse on the link and at the bottom you will see the real URL of the link. If the link is shortened don’t click on it. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
- Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam. never give out confidential information. Do not provide information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Don’t send sensitive information over the Internet before checking a Website’s security.
- Beware of any download or attachment. If you don’t know the sender personally or do not expect a file, downloading anything is a mistake. Even if the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment, check with your friend before opening links or downloading. The friend’s email account may be compromised or the email is spoofed.
- Secure your computing devices with anti-virus, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and you can use free tools for updating third-party applications like Kaspersky Software Updater, Patch My PC Updater
- Use anti-phishing tools offered by your web browser or third-party tools to alert you to risks like phishing links. Some of the third-party browser add-ons are McAfee WebAdvisor formerly SiteAdvisor, Web Of Trust (WOT) . Recently WOT is said to be collecting and selling the browsing history of users to third-parties, without anonymizing the user data. See more info here.
- Safeguard information about yourself. Security questions are usually easy to defeat because they’re systemically flawed. Use the most obscure questions available, custom questions or lie to the questions and you have to remember the lie (answer). You can make a note in your password manager if you’re afraid of forgetting the questions. People like picking questions that have answers that are easy to remember. These questions are the easiest for an intruder to decipher, like “Where were you born?” or “What city did you go to high school in?”
What to do if you think you are a victim?
- If you believe you might have revealed sensitive information about your organization, report it to the proper people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
Security awareness training can go a long way towards preventing social engineering attacks. If people know what forms social engineering attacks are likely to take, they will be less likely to become victims.
What does your organization do to combat malicious social engineering?