An Introduction to Social Engineering
Social engineering attacks are on the rise; they’re becoming more frequent and at the same time more sophisticated as well.
Today, we discuss some basic things about social engineering, including the definition, the different types of social engineering attacks etc. Here we go…
Social Engineering: The Definition
The term social engineering refers to the strategies used by cybercriminals to trick people into breaking standard security practices. This is a rather non-technical terrain as there is no direct exploitation of systems or software involved. The hackers seek to manipulate victims into sharing personal data or performing certain things- like opening some email attachments or clicking on links that would be infected with malware, installing or sharing malware etc.
Though social engineering is rather non-technical, it’s one of the major threats that organizations face today. Using social engineering tactics, hackers manage to break into networks of large companies and organizations and get away with loads of confidential data- sensitive personal data and corporate data as well.
To be remembered is the fact that cybercriminals who carry out social engineering attacks exploit either the weaknesses of users or their natural helpfulness. These hackers would come up with messages that make appeals for help but actually designed to infect the user’s system/device with malware and steal data. Social engineering thrives by exploiting fear, greed, helpfulness, curiosity etc, which could lead users to open emails, click on links, download attachments etc. This could eventually lead to malware infection, stealing of data etc.
The different kinds of social engineering attacks
There are different kinds of social engineering attacks that cybercriminals usually resort to…
Phishing- Phishing, as we know, is one of the most popular kinds of cyberattacks. A hacker would communicate with a user, pretending to be or disguised as a legitimate, trusted person and tricking the user into opening malicious emails, clicking on malicious links etc. The most popular mode adopted is email. Email phishing scams involve the sending of emails that would seem to come from legitimate sources- banks, insurance firms, clients, government agencies etc. Once the user opens such an email, he would be tricked into clicking on a link or downloading an attachment. He would be told that it’s important to do so, in order to pay a fine, make a renewal, re-confirm his address etc. The user may even be asked to fill a form with personal details. The unsuspecting user would follow the instructions, and this would ultimately lead to a data breach or malware installation in his system/device. Phishing attacks are also carried out via phone calls, instant messengers, the social media etc. The call or message would urge the user to make a donation for a charity or to help someone affected by a natural disaster, but the real intentions would definitely be malicious.
Spear phishing – Spear phishing is a more targeted kind of phishing attack in which a hacker uses personal information pertaining to a user to gain trust and make things look legitimate. Thus, a hacker, using information that he has gathered from the victim’s social media accounts or other online activities, would send an email that the victim would take for a legitimate one. Thus, those behind spear phishing attacks manage to get more successful compared to other general phishing attacks.
Baiting- The name says it all! Hackers could leave, as some kind of a bait, a CD or a USB flash drive, in a place where someone would easily find it. Curiosity would lead the person who finds it to try opening it and consequently, unknown to that person, malware would be installed in the system.
Pretexting- A hacker would fabricate some false circumstances, pretend to be in need of some information and thus make a user provide access to critical, protected systems or divulge sensitive data. An example of such an attack is a hacker pretending to be someone from a company’s IT department and asking the victim (some employee of the company) to grant computer access or give out login credentials.
Tailgating- An unauthorized person following an authorized user into an otherwise secure area – that’s what tailgating (or piggybacking) is. Thus, a person impersonating as a delivery guy can get some employee who is making his entry to hold the door for him. Then, after entering the premises, he could go to the data room or gain access to some system and thus gain access to the network. Tailgating can also be mixed with baiting; a person who tailgates can leave a USB drive or CD that could ultimately be used for a social engineering attack.
Quid pro quo – Quid pro quo attacks involve hackers asking for sensitive information in exchange for a benefit. It could be a gift, the promise of some services etc. For example, a hacker can get some login credentials in exchange for a gift and then use the data to gain access to a whole network itself.
How to prevent social engineering attacks
Since social engineering attacks are on the rise, it’s important that organizations adopt measures to counter them. Some basic things that can be done to prevent social engineering attacks include:
- Educating employees as regards the common types of social engineering attacks, prevention strategies etc.
- Training employees as regards adopting prevention strategies.
- Ensuring that emails from untrusted sources are not opened. If emails that seem to be coming from known sources contain any content that raises suspicion (like asking for personal data), it’s always best to contact the sender directly and ascertain things.
- Ensuring that no user gives in to temptations or divulges details after yielding to curiosity, greed etc.
- Ensuring that computers and laptops are locked when someone moves away.
- Using antivirus/antimalware software, data monitoring tools, email filters etc and ensuring proper firewall protection.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.