Most cybercriminals are master manipulators, but that doesn’t mean they’re all manipulators of technology — some cybercriminals favor the art of human manipulation. Show
In other words, they favor social engineering, meaning exploiting human errors and behaviors to conduct a cyberattack. For a simple social engineering example, this could occur in the event a cybercriminal impersonates an IT professional and requests your login information to patch up a security flaw on your device. If you provide the information, you’ve just handed a malicious individual the keys to your account and they didn’t even have to go to the trouble of hacking your email or computer to do it. As with most cyber threats, social engineering can come in many forms and they’re ever-evolving. Here, we’re overviewing what social engineering looks like today, attack types to know, and red flags to watch for so you don’t become a victim. Social engineering definedFor a social engineering definition, it’s the art of manipulating someone to divulge sensitive or confidential information, usually through digital communication, that can be used for fraudulent purposes. Unlike traditional cyberattacks that rely on security vulnerabilities to gain access to unauthorized devices or networks, social engineering techniques target human vulnerabilities. For this reason, it’s also considered human hacking. Cybercriminals who conduct social engineering attacks are called social engineers, and they’re usually operating with two goals in mind: to wreak havoc and/or obtain valuables like important information or money. How social engineering worksLike most types of manipulation, social engineering is built on trust first— false trust, that is — and persuasion second. Generally, there are four steps to a successful social engineering attack:
Depending on the social engineering attack type, these steps could span a matter of hours to a matter of months. No matter the time frame, knowing the signs of a social engineering attack can help you spot — and stop — one fast. Signs of a social engineering attackSocial engineering can happen everywhere, online and offline. And unlike traditional cyberattacks, whereby cybercriminals are stealthy and want to go unnoticed, social engineers are often communicating with us in plain sight. Consider these common social engineering tactics that one might be right under your nose. Your “friend” sends you a strange messageSocial engineers can pose as trusted individuals in your life, including a friend, boss, coworker, even a banking institution, and send you conspicuous messages containing malicious links or downloads. Just remember, you know your friends best — and if they send you something unusual, ask them about it. Your emotions are heightenedThe more irritable we are, the more likely we are to put our guard down. Social engineers are great at stirring up our emotions like fear, excitement, curiosity, anger, guilt, or sadness. In your online interactions, consider the cause of these emotional triggers before acting on them. The request is urgentSocial engineers don’t want you to think twice about their tactics. That’s why many social engineering attacks involve some type of urgency, such as a sweepstake you have to enter now or a cybersecurity software you need to download to wipe a virus off of your computer. The offer feels too good to be trueEver receive news that you didn’t ask for? Even good news like, say winning the lottery or a free cruise? Chances are that if the offer seems too good to be true, it’s just that — and potentially a social engineering attack. You’re receiving help you didn’t ask forSocial engineers might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. And considering you might not be an expert in their line of work, you might believe they’re who they say they are and provide them access to your device or accounts. The sender can’t prove their identityIf you raise any suspicions with a potential social engineer and they’re unable to prove their identity — perhaps they won’t do a video call with you, for instance — chances are they’re not to be trusted. 10 social engineering attack types + examplesAlmost all cyberattacks have some form of social engineering involved. And most social engineering techniques also involve malware, meaning malicious software that unknowingly wreaks havoc on our devices and potentially monitors our activity. Pore over these common forms of social engineering, some involving malware, as well as real-world examples and scenarios for further context. 1. ScarewareAs the name indicates, scareware is malware that’s meant to scare you to take action — and take action fast. It often comes in the form of pop-ups or emails indicating you need to “act now” to get rid of viruses or malware on your device. In fact, if you act you might be downloading a computer virus or malware. Scareware exampleTurns out it’s not only single-acting cybercriminals who leverage scareware. In 2019, an office supplier and tech support company teamed up to commit scareware acts. The office supplier required its employees to run a rigged PC test on customers’ devices that would encourage customers to purchase unneeded repair services. Ultimately, the Federal Trade Commission ordered the supplier and tech support company to pay a $35 million settlement. 2. Email hacking and contact spammingIt’s in our nature to pay attention to messages from people we know. And social engineers know this all too well, commandeering email accounts and spamming contact lists with phishing scams and messages. Email hacking and contact spamming exampleIf your friend sent you an email with the subject, “Check out this site I found, it’s totally cool,” you might not think twice before opening it. By taking over someone’s email account, a social engineer can make those on the contact list believe they’re receiving emails from someone they know. The primary objectives include spreading malware and tricking people out of their personal data. 3. Access tailgatingAlso known as piggybacking, access tailgating is when a social engineer physically trails or follows an authorized individual into an area they do not have access to. This can be as simple of an act as holding a door open for someone else. Once inside, they have full reign to access devices containing important information. Access tailgating exampleIf someone is trailing behind you with their hands full of heavy boxes, you’d hold the door for them, right? In reality, you might have a social engineer on your hands. Your act of kindness is granting them access to an unrestricted area where they can potentially tap into private devices and networks. 4. PhishingPhishing is a well-known way to grab information from an unwitting victim. How it typically works: A cybercriminal, or phisher, sends a message to a target that’s an ask for some type of information or action that might help with a more significant crime. The ask can be as simple as encouraging you to download an attachment or verifying your mailing address. Worth noting is there are many forms of phishing that social engineers choose from, all with different means of targeting. Spam phishing often takes the form of one big email sweep, not necessarily targeting a single user. Spear phishing targets individual users, perhaps by impersonating a trusted contact. Whaling targets celebrities or high-level executives. Phishing also comes in a few different delivery forms:
Phishing exampleA social engineer might pose as a banking institution, for instance, asking email recipients to click on a link to log in to their accounts. Those who click on the link, though, are taken to a fake website that, like the email, appears to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the cybercriminal access to their bank accounts. 5. DNS spoofingAlso known as cache poisoning, DNS spoofing is when a browser is manipulated so that online users are redirected to malicious websites bent on stealing sensitive information. In other words, DNS spoofing is when your cache is poisoned with these malicious redirects. DNS spoofing exampleIn 2018, a cloud computing company and its customers were victims of a DNS spoofing attack that resulted in around $17 million of cryptocurrency being stolen from victims. Cybercriminals rerouted people trying to log into their cryptocurrency accounts to a fake website that gathered their credentials to the cryptocurrency site and ultimately drained their accounts. 6. BaitingBaiting is built on the premise of someone taking the bait, meaning dangling something desirable in front of a victim, and hoping they’ll bite. This occurs most often on peer-to-peer sites like social media, whereby someone might encourage you to download a video or music, just to discover it’s infected with malware — and now, so is your device. Baiting exampleFor a physical example of baiting, a social engineer might leave a USB stick, loaded with malware, in a public place where targets will see it such as in a cafe or bathroom. In addition, the criminal might label the device in a compelling way — “confidential” or “bonuses.” A target who takes the bait will pick up the device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer. 7. Physical breachesAs the name indicates, physical breaches are when a cybercriminal is in plain sight, physically posing as a legitimate source to steal confidential data or information from you. This might be as a colleague or an IT person — perhaps they’re a disgruntled former employee — acting like they’re helping you with a problem on your device. In fact, they could be stealing your account logins. Physical breaches exampleA social engineer posing as an IT person could be granted access into an office setting to update employees’ devices — and they might actually do this. At the same time, however, they could be putting a keylogger on the devices to track employees ’ every keystroke and patch together confidential information that can be used toward other cyberattacks. 8. PretextingWhat is pretexting? It’s the use of an interesting pretext, or ploy, to capture someone’s attention. Once the story hooks the person, the social engineer tries to trick the would-be victim into providing something of value. Oftentimes, the social engineer is impersonating a legitimate source. Pretexting exampleLet’s say you received an email, naming you as the beneficiary of a will or a house deed. The email requests your personal information to prove you’re the actual beneficiary and to speed the transfer of your inheritance. Instead, you’re at risk of giving a con artist the ability not to add to your bank account, but to access and withdraw your funds. 9. Watering hole attacksA watering hole attack is a one-sweep attack that infects a single webpage with malware. The webpage is almost always on a very popular site — or virtual watering hole, if you will — to ensure that the malware can reach as many victims as possible. Watering hold attack exampleIn 2014, a media site was compromised with a watering hole attack attributed to Chinese cybercriminals. They exploited vulnerabilities on the media site to create a fake widget that, when loaded, infected visitors’ browsers with malware. 10. Quid pro quoQuid pro quo means a favor for a favor, essentially “I give you this, and you give me that.” In the instance of social engineering, the victim coughs up sensitive information like account logins or payment methods and then the social engineer doesn’t return their end of the bargain. Quid pro quo exampleFor a quid pro quo video gaming example, you might be on a gaming forum and on the lookout for a cheat code to surpass a difficult level. Perhaps you wire money to someone selling the code, just to never hear from them again and to never see your money again. 15 tips to avoid becoming a victim of a social engineering attackYour best defense against social engineering attacks is to educate yourself of their risks, red flags, and remedies. To that end, look to the following tips to stay alert and avoid becoming a victim of a social engineering attack. Communicate safely onlineYour own wits are your first defense against social engineering attacks. Simply slowing down and approaching almost all online interactions with skepticism can go a long way in stopping social engineering attacks in their tracks. 1. Don’t click links you don’t request. 2. Don’t overshare personal information online. 3. Be cautious of online-only friendships. 4. Remember the signs of social engineering. 5. Acknowledge what’s too good to be true. Secure your accounts and networksBeyond putting a guard up yourself, you’re best to guard your accounts and networks against cyberattacks, too. Consider these means and methods to lock down the places that host your sensitive information. 6. Use two-factor authentication. 7. Only use strong, unique passwords and change them often. 8. Consider a password manager to keep track of your strong passwords. 9. Set high spam filters. 10. Don’t allow strangers on your Wi-Fi network. 11. Use a virtual private network. 12. Monitor your account activity closely. Safeguard your devicesFinally, ensuring your devices are up to cybersecurity snuff means that you aren’t the only one charged with warding off social engineers — your devices are doing the same. 13. Don’t leave devices unattended. 14. Use cybersecurity software. 15. Keep your software up to date Manipulation is a nasty tactic for someone to get what they want. Thankfully, it’s not a sure-fire one when you know how to spot the signs of it. Now that you know what is social engineering — and the techniques associated with it — you’ll know when to put your guard up higher, online and offline. What methods does a social engineering hacker use to gain information?Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear phishing, and CEO Fraud are all examples.
What are the three steps in a social engineering attack?Information Gathering. The likelihood of success for most attacks depends on this phase, so it is only natural that attackers invest the majority of their time and attention here. ... . Establish Relationship and Rapport. This phase establishes a working relationship with the target. ... . Exploitation. ... . Execution.. How does social engineer gain access?This form of social engineering often begins by gaining access to an email account or another communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.
What are some psychological methods that social engineers use to gain information?A social engineer will manipulate their target using email, phone, or in-person tactics to acquire confidential information. Through observing personal mentalities, reoccurring routines, and relationships, the social engineer can develop the appearance of an individual you might naturally trust.
|