Cybersecurity - Social Engineering
Social Engineering Explained
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
How Social Engineering Works
- Preparation: The social engineer gathers information about their victims, including where they can access them, such as on social media, email, text message, etc.
- Infiltration: The social engineer approaches their victims, usually impersonating a trustworthy source and using the information gathered about the victim to validate themselves.
- Exploitation: The social engineer uses persuasion to request information from their victim, such as account logins, payment methods, contact information, etc., that they can use to commit their cyberattack.
- Disengagement: The social engineer stops communication with their victim, commits their attack, and swiftly departs.
Signs of a Social Engineering attack
- Your “friend” sends you a strange message
- Social engineers can pose as trusted individuals in your life, including a friend, boss, coworker, even a banking institution, and send you conspicuous messages containing malicious links or downloads. Just remember, you know your friends best — and if they send you something unusual, ask them about it.
- Your emotions are heightened
- The more irritable we are, the more likely we are to put our guard down. Social engineers are great at stirring up our emotions like fear, excitement, curiosity, anger, guilt, or sadness. In your online interactions, consider the cause of these emotional triggers before acting on them.
- The request is urgent
- Social engineers don’t want you to think twice about their tactics. That’s why many social engineering attacks involve some type of urgency, such as sweepstakes you have to enter now or a cybersecurity software you need to download to wipe a virus off of your computer.
- The offer feels too good to be true
- Ever receive news that you didn’t ask for? Even good news like, say winning the lottery or a free cruise? Chances are that if the offer seems too good to be true, it’s just that — and potentially a social engineering attack.
- You’re receiving help you didn’t ask for
- Social engineers might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. And considering you might not be an expert in their line of work, you might believe they’re who they say they are and provide them access to your device or accounts.
- The sender can’t prove their identity
- If you raise any suspicions with a potential social engineer and they’re unable to prove their identity — perhaps they won’t do a video call with you, for instance — chances are they’re not to be trusted.
Examples of Social Engineering
- Scareware - As the name indicates, scareware is malware that’s meant to scare you to take action — and take action fast. It often comes in the form of pop-ups or emails indicating you need to “act now” to get rid of viruses or malware on your device. In fact, if you act you might be downloading a computer virus or malware.
- Example: Turns out it’s not only single-acting cybercriminals who leverage scareware. In 2019, an office supplier and tech support company teamed up to commit scareware acts. The office supplier required its employees to run a rigged PC test on customers’ devices that would encourage customers to purchase unneeded repair services. Ultimately, the Federal Trade Commission ordered the supplier and tech support company to pay a $35 million settlement.
- Email hacking and contact spamming - It’s in our nature to pay attention to messages from people we know. And social engineers know this all too well, commandeering email accounts and spamming contact lists with phishing scams and messages.
- Example: If your friend sent you an email with the subject, “Check out this site I found, it’s totally cool,” you might not think twice before opening it. By taking over someone’s email account, a social engineer can make those on the contact list believe they’re receiving emails from someone they know. The primary objectives include spreading malware and tricking people out of their personal data.
- Access tailgating - Also known as piggybacking, access tailgating is when a social engineer physically trails or follows an authorized individual into an area they do not have access to. This can be as simple of an act as holding a door open for someone else. Once inside, they have full reign to access devices containing important information.
- Example: If someone is trailing behind you with their hands full of heavy boxes, you’d hold the door for them, right? In reality, you might have a social engineer on your hands. Your act of kindness is granting them access to an unrestricted area where they can potentially tap into private devices and networks.
- Phishing - Phishing is a well-known way to grab information from an unwitting victim. How it typically works: A cybercriminal, or phisher, sends a message to a target that’s an ask for some type of information or action that might help with a more significant crime. The ask can be as simple as encouraging you to download an attachment or verifying your mailing address.
- Example: A social engineer might pose as a banking institution, for instance, asking email recipients to click on a link to log in to their accounts. Those who click on the link, though, are taken to a fake website that, like the email, appears to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the cybercriminal access to their bank accounts.
- DNS spoofing - Also known as cache poisoning, DNS spoofing is when a browser is manipulated so that online users are redirected to malicious websites bent on stealing sensitive information. In other words, DNS spoofing is when your cache is poisoned with these malicious redirects.
- Example: In 2018, a cloud computing company and its customers were victims of a DNS spoofing attack that resulted in around $17 million of cryptocurrency being stolen from victims. Cybercriminals rerouted people trying to log into their cryptocurrency accounts to a fake website that gathered their credentials to the cryptocurrency site and ultimately drained their accounts.
- Baiting - Baiting is built on the premise of someone taking the bait, meaning dangling something desirable in front of a victim, and hoping they’ll bite. This occurs most often on peer-to-peer sites like social media, whereby someone might encourage you to download a video or music, just to discover it’s infected with malware — and now, so is your device.
- Example: For a physical example of baiting, a social engineer might leave a USB stick, loaded with malware, in a public place where targets will see it such as in a cafe or bathroom. In addition, the criminal might label the device in a compelling way — “confidential” or “bonuses.” A target who takes the bait will pick up the device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer.
- Physical breaches - As the name indicates, physical breaches are when a cybercriminal is in plain sight, physically posing as a legitimate source to steal confidential data or information from you. This might be as a colleague or an IT person — perhaps they’re a disgruntled former employee — acting like they’re helping you with a problem on your device. In fact, they could be stealing your account logins.
- Example: A social engineer posing as an IT person could be granted access into an office setting to update employees’ devices — and they might actually do this. At the same time, however, they could be putting a keylogger on the devices to track employees ’ every keystroke and patch together confidential information that can be used toward other cyberattacks.
- Pretexting - What is pretexting? It’s the use of an interesting pretext, or ploy, to capture someone’s attention. Once the story hooks the person, the social engineer tries to trick the would-be victim into providing something of value. Oftentimes, the social engineer is impersonating a legitimate source.
- Example: Let’s say you received an email, naming you as the beneficiary of a will or a house deed. The email requests your personal information to prove you’re the actual beneficiary and to speed the transfer of your inheritance. Instead, you’re at risk of giving a con artist the ability not to add to your bank account, but to access and withdraw your funds.
- Watering hole attacks - A watering hole attack is a one-sweep attack that infects a single webpage with malware. The webpage is almost always on a very popular site — or virtual watering hole, if you will — to ensure that the malware can reach as many victims as possible.
- Example: In 2014, a media site was compromised with a watering hole attack attributed to Chinese cybercriminals. They exploited vulnerabilities on the media site to create a fake widget that, when loaded, infected visitors’ browsers with malware.
- Quid pro quo - Quid pro quo means a favor for a favor, essentially “I give you this, and you give me that.” In the instance of social engineering, the victim coughs up sensitive information like account logins or payment methods and then the social engineer doesn’t return their end of the bargain.
- Example: For a quid pro quo video gaming example, you might be on a gaming forum and on the lookout for a cheat code to surpass a difficult level. Perhaps you wire money to someone selling the code, just to never hear from them again and to never see your money again.