Cybersec Basics 2: Social Engineering
Social engineering is an umbrella term that professionals use to refer to malicious activities executed through human interactions. Hackers use social skills to manipulate a victim’s emotions and judgment to obtain sensitive information or make security mistakes.=
According to statistics, 95% of cybersecurity breaches are caused by human errors. Cybercriminals take advantage of this fact and exploit unsuspecting victims for their own gain. Hackers can disguise themselves as co-workers, relatives, or legitimate companies to manipulate targets into giving up sensitive information. Aside from stealing an identity or compromising a bank account, social engineering can also be used to obtain a company’s secret or exploit national security.
Social engineering is a popular method amongst threat actors because of how easy and effective it can be. It can be used in various ways— online or offline— but the main goal is to obtain sensitive information of targets to steal their identity or money. Hackers will also try to install malware to give them better access to a system, network, and personal data.
How it works
Social engineering attacks mostly rely on the communication between hacker and victim. To be successful, threat actors will gather information on the target beforehand to help them in the process. They study the behavior of an individual through social media or gather intelligence on the structure and operation of a company to appear trustworthy.
After gathering the necessary information, hackers will pose as a legitimate person or trustworthy source to establish a relationship with the victim. Hackers will use the research they gathered to gain credibility with the victim for them to let their guard down.
Once they’ve established a relationship, they move onto the exploitation stage. Threat actors will then attempt to extort information from their victims such as account logins, contact information, and payment methods to use to execute their plan. After they have acquired the necessary data, they will stop communication with their victims and proceed with the attack.
Social Engineering attacks can be done through a single email or over a few months but the end goal is to make a user share information or expose themselves to malware. By posing as someone trustworthy such as tech support professionals or an employer, they can utilize a victim’s vulnerability to fulfill their scheme.
Common Types of Social Engineering Attacks
There are several Social Engineering attacks that threat actors use to trick users into falling for their attack. Here are some common Social Engineering attacks:
Phishing is a method everyone is well aware of by now. It is a common and effective attack that is used by hackers to extort personal data and other valuables. It comes in different forms such as text messages (smishing), phone calls (vishing), and email. Threat actors will send a message to users that appear legit and are from a trusted source to trick victims into sharing financial, personal information or infect their device with malware.
Nowadays, phishing attacks have evolved and are used for greater financial gain. Spear phishing is a method that hackers used to tailor an attack for a specific person or organization. Aside from stealing data, threat actors can install malware on a target’s computer, giving them access to company data and control.
This attack uses a person’s curiosity against them to coerce them to reveal information. Threat actors use ads such as job opportunities and easy money to catch the attention of users. After they trap a victim, they will then infect the victim’s device with malware. Most of the time hackers will send these ads through email attachments but have also worked by leaving USB drives in public spaces for unsuspecting victims to use, which will then install a virus to their device.
As the name suggests, scareware is a type of malicious software that is used to scare victims into acting. It tricks victims into thinking their computer is infected by malware or that one of their accounts has been compromised. Scareware invokes panic and fear to push victims into buying or downloading solutions that will fix the supposed problem. However, in reality, hackers tricked users into downloading and installing malware instead.
- DNS Spoofing
DNS spoofing is a type of attack that alters the DNS records to redirect users to a fake website that resembles the intended site. The goal of hackers is to trick victims into revealing their login credentials and other sensitive information and to install and spread viruses on a victim’s computer.
- Physical Breach
Social Engineering can happen both online and offline. Physical breach is when a threat actor poses as a legitimate source in real life to steal data from targets. At times, they will pose as someone from work or a former employee of a company and might ask for a passcode or appear to help with solving a problem on the devices. In reality, they are trying to gain access to login accounts or a company’s network.
Ways to Prevent Social Engineering
- Don’t overshare information online
As illustrated above, threat actors prepare before they carry out a plan. Part of their research is gathering information about a target through social media. It is important to be wary of what you post and share to avoid giving too much information to attackers.
- Strong Password
The majority of users use passwords that can easily be guessed by hackers. It is the first line of defense that users have to protect their accounts but with the current password practices that we have, it does not suffice. By creating strong passwords and changing them frequently, it lowers the chances of your account being compromised.
- Multi-Factor Authentication
As stated above, sometimes passwords are not enough. Establishing a two-factor authentication or multi-factor authentication to your system can greatly reduce the likelihood of a breach. With this system in place, it makes it difficult for hackers to gain access to a system or account.
Awareness is sometimes overlooked by many corporations but it is considered one of the most important factors to prevent a breach. Human error is acknowledged as one of the main causes of breaches and educating yourself and your employees on the different cyberattacks present will help prevent compromises. By highlighting how to spot social engineering attacks and the dangers they can potentially cause, it can keep you and your company safe.
Social Engineering can affect average users, small-scale businesses, and large-scale businesses alike. It is crucial to mitigate the risk of social engineering by implementing technology and software to help fight off threat actors. With the current climate today, it is a must for a corporation to establish a comprehensive cybersecurity plan to protect and secure sensitive data and its network. By implementing protocols and educating users, you can protect yourself and your company.
“Avoiding Social Engineering and Phishing Attacks | CISA.” Cybersecurity & Infrastructure Security Agency, 22 Oct. 2009, us-cert.cisa.gov/ncas/tips/ST04-014.
Staff, Cso. “CSO’s Ultimate Guide to Social Engineering.” CSO Online, 28 Feb. 2012, www.csoonline.com/article/2130996/cso-s-ultimate-guide-to-social-engineering.html.
Fruhlinger, Josh. “Social Engineering Explained: How Criminals Exploit Human Behavior.” CSO Online, 25 Sept. 2019, www.csoonline.com/article/2124681/what-is-social-engineering.html.
Kenton, Will. “What Is Social Engineering?” Investopedia, 06 July 2021, www.investopedia.com/terms/s/social-engineering.asp.
“Types of Social Engineering Attacks | IT Governance.” IT Governance, www.itgovernance.co.uk/social-engineering-attacks. Accessed 2 Sept. 2021.
Ahola, Micke, et al. “The Role of Human Error in Successful Cyber Security Breaches.” Usecure, blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches. Accessed 2 Sept. 2021.