Hackers and cybercriminals are a bunch of guys who know what they want and get it if you don’t take it seriously. There are a lot of methods with which snoopers and hackers can get access to you. Social engineering is one of those tricks cybercriminals use.
In this article, we will let you know what social engineering is and how can you prevent it.
Social engineering: How does it work?
Social engineering mainly involves communication between a victim and an attacker. It is mostly used in conjunction with other forms of cyberattacks. The attackers smoothly trick the victims into revealing sensitive information or vulnerabilities that they use to advance their attacks.
Instead of using brute force methods, the attackers motivate the victims to compromise themselves unknowingly through a well-choreographed strategy.
The lifecycle of social engineering
Any social engineering attack involves the following steps.
- Preparation: The attackers gather the victim’s background information. This includes information on the public domain, workplace, daily routine, family, etc.
- Infiltration: They then make the first contact with the victim and create interactions to build trust.
- Exploitation: Once trust is built, the attackers trick the victim into revealing sensitive information or weaknesses that can be used to advance the attack.
- Disengagement: After achieving their goal, the attackers retreat and stop engaging the victim.
The social engineering process can start as a face-to-face conversation, social media chat, or even an email. However, the results of the process could be instant or take longer. Whatever time it takes, if successful, you end up compromising yourself or exposing yourself to malware and other attacks.
Many organizations, consumers, and employees do not recognize such attacks. Hackers can, therefore, gather pieces of information and use them to launch a devastating attack. For instance, attackers pretending to be IT support personnel can access your sensitive information or login credentials, which can lead to large-scale data breaches.
Traits of social engineering attacks
A social engineering attack clouds your judgment and drives you into irrational decisions and actions. Most victims of these attacks realize the risk when it’s too late to reverse the situation and are left with bitter regrets. Most attacks come with the following traits.
- Trust: The attackers come with a strategically designed initiative to impress and make you believe them. Once the bond of trust is established, they confidently lie and manipulate you without suspicion until their target is achieved.
- Urgency. The Attackers will make you believe that they are in some kind of a problem and you are the only person who can help them. Your willingness to help overrides your ability to think critically, and you can easily compromise yourself.
- Heightened emotions: Actions and decisions made out of emotions are rarely the best. The attackers manipulate your emotions, driving you to make an irrational decision to their benefit. They manipulate emotions such as sadness, guilt, anger, curiosity, excitement, and fear to push you overboard.
Keep in mind that not all social engineering attacks come with the above traits. Other attackers use simple but effective techniques which you can easily ignore. For instance, an attacker can frequently visit an office to physically observe the computer screen and keyboard for any helpful clues. The method is highly unnoticeable, and the attacker may piece together fractions of crucial information and use them in a big attack.
History of social engineering
The art of deception and trickery has been around for many centuries. Con artists used social engineering skills to steal money and information from unsuspecting victims. The advancement of technology and the recent spread of the internet has revolutionized this art where criminals are devising new tactics and reaching all corners of the world.
A good example of an early social engineering ploy is the Jerusalem scam in the 18th century. Apparently, a noble Frenchman’s valet was imprisoned just after hiding his master’s treasure. Many prisoners took advantage of this and sent letters to random recipients claiming to be the valet who had the map of the hidden treasure. The prisoners promised the recipients the map if they could secure their release from prison. The scam was successful, and some recipients responded.
This was followed by the Spanish prisoner scam. A European nobleman wrote letters tricking the recipient that he was his distant relative and even correctly mentioned a diseased relative by name. The letter asked the recipient to pay for the prisoner’s release, and he would be heavily compensated with hidden treasures. Additionally, the scammer cited he had a young daughter he wanted to care for.
The Spanish scam is an advancement of the Jerusalem scam because the attacker created a fictional blood relationship with the victim. The prisoner also sought sympathy by mentioning he had a young daughter and knew the recipient’s diseased relative. Such emotions can trigger irrational decisions, which leads to vulnerability.
Social engineering scams continued evolving in the 20th century and have become more sophisticated. The 419 or the Prince of Nigeria scam is a modern social engineering scam. Attackers send their targets emails and text messages claiming to be wealthy, but their money has been locked in a foreign country, and they can’t access it on their own. They even send you forged documents to support their claims and request you to receive the money on their behalf, deduct a certain percentage and send them the rest. Along the way, they introduce an obstacle requiring bribing officials to release the money. At this point, they request you send them money to facilitate the release of funds. Once you send the money, you will never hear from them again. These types of scams are called advance fee scams because they aim at convincing the target to pay some fee before a greater price. Romance and advance fee scams are very common today because they are highly profitable and don’t require much investment.
Types of social engineering attacks
1. Watering Hole attacks
These attacks exploit the vulnerabilities in the busiest websites and infect them with malware. The goal is to infect many users at once before the bug is fixed. The attack may take time to plan because the attackers must analyze the websites to find the weaknesses to exploit. For this reason, many busy websites stick with one stable version for a long time, and an upgrade is only sanctioned if proven robust.
2. Scareware attacks
It uses social engineering malware to trick the user into taking action. For example, scareware may warn you that your account is compromised or your device has a virus, and you should click a certain button to clean it. This technique can deceive you into revealing your sensitive information, such as login credentials.
3. Cache Poisoning and DNS spoofing attacks
Both attacks cause the redirection of legitimate URLs to malicious and fraudulent websites. Cache poisoning plants routing instructions on your device which cause redirections, while DNS spoofing exploits browser weaknesses and continually redirects legitimate URLs to dangerous websites until the routing data is cleared from the respective system.
4. Quid Pro Quo attacks
Quid Pro Quo is a Latin word meaning a favor for a favor. It is a form of phishing that promises you a reward in exchange for your personal information. Quid Pro Quo Attacks are common in research studies and marketing campaigns. Excited users are duped and end up with nothing even after providing their personal information.
5. Access Tailgating attacks
Also known as piggybacking, it is a physical social engineering technique where an attacker gains access to a restricted area by secretly trailing an authorized staff member. The attackers may pretend to be holding the door for the victim just to convince them that they are also authorized to enter.
6. Pretexting attacks
Attackers posing as legitimate vendors or employees initiate interactions with the victim in order to build trust. For the attack to be successful, the attackers must convince the victims that they are legitimate. Once trust is built, the attacker can obtain sensitive information or launch attacks without suspicion.
7. Physical breach attacks
These attacks are similar to pretexting attacks. The attackers impersonate authorized personnel to gain access to restricted areas. The attack is high-risk, and it requires a lot of research and preparation. This type of attack is common in the enterprise environment and can involve an insider job or a recently fired employee. Anyone attempting a physical breach attack must be chasing a valuable reward.
8. Baiting attacks
An enticing free or exclusive reward arouses the users’ excitement and curiosity. They are then taken through a series of steps that eventually infect them with malware. Some of the popular baiting methods include;
- Fraudulent free software and email attachments about free offers.
- USB drives are left in public places like parking lots and libraries.
9. Phishing attacks
Phishing is a social engineering technique where attackers disguise trusted individuals or institutions to deceive you into revealing sensitive data. Phishing can be categorized into two.
- Spear phishing: This method uses personalized information to target specific users. Whaling, an extension of spear phishing, targets influential people such as top government officials, higher management, and popular celebrities.
- Spam phishing: These are extensive attacks targeting many users. They are not personalized, and they aim to deceive any unsuspecting user.
Phishing attackers use various channels to reach their target victims. Regardless, the attacks aim to access sensitive information and infect your device with malware. Below are some of the major channels of delivery used by phishing attackers.
- In-session phishing: It appears as a normal interruption when browsing. An example is a pop-up window that disguises a legitimate Login form.
- URL phishing: Lures users through fancy malicious links delivered via online ads, social media messages, texts, and emails. The links are attractive and deceptively created using URL-shortening tools.
- Search engine phishing: They display fake website links at the top of the search results. The links may be optimized to manipulate search engine ranks or appear as legitimate paid ads.
- Angler phishing: This is most common in social media, where attackers pretend to be the customer support team of a trusted company. They trick unsuspecting users into revealing sensitive information through direct messages and then launch a bigger attack.
- Email Phishing: The oldest phishing channel where attackers send emails containing malware attachments, phone numbers, and web links and urge the recipient to reply and follow up in an attempt to establish trust.
- SMS Phishing: The attackers send text messages which may contain a web link, a follow-up phone number, or a fraudulent email address.
- Voice phishing (Vishing): This may be a persuasive live, recorded, or automated speech seeking to build trust or trick you into revealing sensitive information.
10. Unusual social engineering methods
The attackers may use sophisticated techniques to achieve their goals depending on the target. These techniques include;
- Traditional mail malware distribution: In Japan, the attackers stole clients’ addresses from a bank database and then used the mail service to send CDs that were infected with spyware trojans to the clients.
- Fax-based phishing: A bank’s client was targeted with a fake email to confirm his access code. However, instead of replying via email, the client was instructed to print the form in the email, fill it out and fax it to the attacker’s phone number.
Examples of social engineering attacks
The most common forms of attacks combine malware and social engineering techniques. The attackers use social engineering techniques to lure users into launching malware-infected files or clicking links that lead to malicious websites. Your device may be easily infected if you don’t have reliable antivirus software to detect and remove the malware. Below are some examples:
1. Shaming infected users out of reporting an attack
Malware creators have devised new strategies to reduce the number of victims who report an attack. They do this by distributing files or utilities that promise illegal benefits. For example;
- An application that promises to increase a victim’s online balance
- Software that provides free mobile and internet communication.
- An application that generates credit card numbers.
Users who are attacked when using these fake utilities are not confident to report the attack because they will also be disclosing their illegal activities.
A good example is an attack that targeted corporate email addresses. The attackers sent emails with fake job offers to corporate employees who had registered with a recruitment website, but the attachment contained a trojan virus. The victims did not report the attack because it would notify their current employers that they were seeking alternative employment.
2. Peer-to-Peer (P2P) Network attacks
Not all files on P2P networks are safe. Some files are uploaded by scammers, and they may contain malware. The attackers use attractive file names to lure the users into downloading and launching the files. After launching the files, the consequences may be devastating. Below are examples of filenames coined by attackers on P2P networks.
- Play Station emulator crack.exe
- Pornstar3D.exe
- Microsoft CD Key Generator.exe
- AIM & AOL Password Hacker.exe
3. Worm attacks
The attackers lure the users into clicking a malicious link or opening an infected file. Examples of worm attacks include:
- The Swen worm: The attack came as a legitimate message from Microsoft with an attachment that claimed to fix Windows vulnerabilities. Many users believed it was a real Windows security patch and installed it on their systems. It was later identified as a worm.
- My doom email worm: It is one of the greatest attacks ever. The attack imitated technical messages issued by the mail server and caused a lot of damage.
- The LoveLetter worm: The victims received an email with a love letter attachment. Upon opening the attachment, the worm copied itself to all the contacts in the victim’s address book. The LoveLetter worm overloaded many companies’ email servers and is still one of the greatest attacks.
Identifying social engineering attacks
You must be proactive in defending yourself against social engineering attacks. The attackers expect you to react without considering the risks, and therefore, you should take time and critically analyze the situation. Whenever you suspect a social engineering attack, ask yourself these questions.
- Can this person prove their identity? Whether physically, online, or over the phone, do not entertain people who cannot prove they are who they claim to be. Many attackers impersonate legitimate people to access sensitive information or restricted areas.
- Are the links or attachments suspicious? Do not open links and attachments from unknown sources. Also, check the attachment or link to spot red flags such as odd context, time, filename, etc.
- When the deal is too good, think twice. Social engineering attacks motivate you by promising bogus rewards. Be wary of tempting offers that are too good to be true. Attackers may promise valuable giveaways after completing a simple task, but they are only interested in harvesting your personal information for their gain.
- Does this website look weird? Web page typos, incorrect company logos, poor image quality, and URL irregularities are all indicators of a potentially fraudulent website. Leave immediately when you feel that the website you are visiting is suspicious.
- Did my friend really send this message? If you receive a suspicious message, link, or attachment from a known address, check with them to verify its authenticity. Your friend’s account may be hacked, and the attacker may use the platform to launch further attacks.
- Is the sender of this message legitimate? Carefully examine the sender’s address and social media profiles to spot any anomalies. For example, the sender may be torn@example.com instead of tom@example.com.
- Are your emotions high? Social engineering attacks manipulate the emotions of the victims. You can’t think critically when you are excited, fearful, or curious and are likely to take action without thinking about consequences. Heightened emotion is a red flag when defending yourself against social engineering attacks.
9 tips for protection against social engineering
Social engineering can be fatal for both organizations and individuals. However, you can protect your safety against such malicious activity by adopting a few simple measures as an individual. Or in your company.
To protect against social engineering, we recommend you follow these best practices:
1. Be aware
Before indulging in anything, you must stay informed about different social engineering attacks and educate yourself on recognizing them. That means consuming all the information you can from this page. We recommend you bookmark it and give it a read every now and then.
2. Take time to respond
Whenever you get an email urging you to act immediately, take a moment to breathe and slow down. Think things through.
Most importantly, do not be afraid. Remember that fear is the mind-killer and the social engineer’s main ally. They want you to act without assessing the situation first, so don’t do their work for them. Instead, sit down, relax, and consider the whole scenario carefully.
3. Stay away from dubious links and files
It would be best if you always were very careful about the links you follow when they come in an unsolicited email. They could take you to websites that will infect your systems with malware.
Be mindful of the sites you visit. Hackers can come up with reasonably good forgeries of legitimate websites. Still, you will always be able to identify them as fake if you are careful. Read the address on your browser carefully and ensure it’s spelled correctly.
4. Double-check all your information
If you get an email from an alleged organization, take your time to verify that all the included data is accurate.
For instance, look up the organization’s official website and look for phone numbers. Do they match the numbers in the email? Also, remember that serious companies or governmental organizations never ask for sensitive information through phone calls or emails.
5. Verify identity
Always verify the identity of anyone who requests sensitive information or asks you to perform an action.
6. Do the typing
Type a website address by hand instead of blindly following links in unsolicited emails. Then, make sure you arrive at the correct website. Once you’re there, you can verify all the information in that urgent email to see if it makes sense, according to legitimate websites.
7. Hijacking happens all the time
You could get emails from people you know, respect, and trust. However, that doesn’t mean they sent it.
Hijacking is such a common problem nowadays that malicious actors can use stolen email accounts to get to you. If the email you have doesn’t sound like your friend, then think twice. Call your friend and ask him if and why he sent that message.
Mails with little more than a link you’re supposed to follow or an attachment you’re supposed to download are always bad news. Do not follow the link, and do not download the file.
8. Beware of strangers
Appearances can be deceiving, so never take people at face value. If a new person arrives out of nowhere into your life or work and it’s too curious about your personal data or other sensitive information, make sure to find out their intentions first. Ask other people about the new person, and get references to ensure they are telling you the truth about who they are.
9. Keep software and security systems up to date
Regularly update all your devices’ software and security systems to stay protected against known vulnerabilities.
Also read: The most secure email providers today
10. Safe device use habits
Your device is the endpoint targeted by attackers with social engineering attacks. A secure device identifies, blocks, or removes these threats before they can do damage.
- Keep your applications and operating system up to date: Software updates provide security patches of the existing software and fix vulnerabilities that hackers can exploit. Devices with updated software cannot be easily infected by socially engineered malware.
- Keep your devices private: Lock all your devices to restrict access by unauthorized persons. Additionally, keep your portable devices with you all the time.
- Use comprehensive security software: Antivirus software is your device’s first line of defense. It is tasked with detecting and removing threats of all kinds from your device. A quality antivirus has a frequently updated threat database that can protect you from even the latest malware.
11. Safe network use habits
A secure network protects all the connected devices. Once a network is compromised, all the connected devices are at risk of an attack. The following habits can help prevent your network against social engineering attacks:
- Secure all the connected devices on your network: Protect all devices in the network because if one device is compromised, the attacker can use the platform to launch attacks on all other devices in the network.
- Use VPN: This is a privacy-enhancement tool that also prevents you from attacks. A quality VPN encrypts your data in a secure tunnel, ensuring no one can intercept your connection. Additionally, a VPN masks your identity online to ensure one can monitor or track your online activities.
- Don’t allow strangers to connect to your main Wi-Fi network: Always have a guest Wi-Fi network to prevent strangers’ eavesdropping on the main network. Your main Wi-Fi network should also be encrypted and secured by a strong password.
12. Safe account management and communication habits
Social engineering attacks are delivered through various communication channels. You should be cautious when engaging strangers in any form of communication to avoid revealing sensitive information. Additionally, you should tweak the settings of all your accounts to set up the most secure environment possible.
- Be cautious with online friends: Social media has many interaction benefits, but scammers are also present. People you meet online could use different identities to convince you to reveal sensitive information. Also, avoid oversharing on social media.
- Avoid sharing personal details such as date of birth: It might seem obvious that people know your birth date or your pet’s name, but you don’t want to announce it to everyone on the internet. Social engineering attackers look for clues they can piece together for a big attack. Additionally, be careful with the security questions you set on your account, and make sure the answer is not in the public domain.
- Use strong passwords and a password manager: Use unique passwords for every account and a quality password manager to help you manage them. Mix upper case, lower case, numbers, and symbols to create a strong password.
- Use multi-factor authentication: This form of authentication uses at least two forms of identity verification before logging in. The factors may include facial recognition, temporary passcodes, or fingerprints you use to verify after entering your password.
- Do not click links on messages and emails: Attackers send malicious links that resemble legitimate URLs through emails and messages. It is recommended to manually type the URL on the address bar regardless of the sender. This way, you can be able to identify some red flags and determine the legitimacy of the URL.
Interesting statistics about social engineering
Social engineering is a cheap and effective way of accessing sensitive information. The most common attacks combine phishing and social engineering, resulting in a lot of monetary and reputation damage. Let’s look at some interesting statistics on social engineering.
- 16% percent of phishing targets fall victim, and after a successful attack, 60% of companies report data loss
- Around 43% of phishing emails impersonate large corporations like Apple.
- In 2021 Google recorded over 2 million websites.
- Social engineering and phishing cause over 70% of data breach attacks
- A single data breach record costs an average of $150
- Phishing was the most common cyber incident in 2020
- 75% of companies were victims of phishing in 2020
- Social engineering is responsible for 98% of attacks
Technical defense against social engineering
Awareness and recognition are the best weapons you have against social engineering attacks. Since this attack relies on the human element rather than on technical expertise, it is essential to fight it from the human position. However, some technical measures will help you stay safe.
- Spam filters. Set them high. If a phishing email doesn’t reach your inbox, it can’t scare you. So make sure that your spam filters are a status possible.
- Delete an email asking for sensitive information. Ignoring it whenever you get such an email is the best way. Please do not answer it. If the email wants you to provide logging credentials, credit card details, or such, do not hesitate to delete them. It’s the safest thing to do.
- Delete emails offering assistance. Suppose you didn’t specifically ask for technical assistance or help of any other kind. In that case, that email is not for you.
- Delete emails asking for help. You undoubtedly know the charities you want to support. Do not let the criminals turn your kindheartedness into a weapon against you.
- Adopt security tools. Firewalls, antivirus software, antispyware, VPNs, and any tool that increases your safety against possible phishing attacks are to your advantage. Use them all if you can.
What do social engineers want?
Social engineers always try to put you out of your wits so you will react quickly and harshly. Understanding what they are looking for is vital to building your awareness. Here’s what they usually chase after:
- Passwords and usernames. Login credentials are never to be shared over emails or the phone. Use them only for their intended purpose, which is to grant you access to networks and web pages.
- Money, fiat, or crypto. Only transfer money if you know the situation or if it suits your previous plans.
- Remote access. Remote access is a standard tool to provide technical assistance, so hackers will use that pretext to get access to your devices. Refrain from granting remote access to anybody, especially new people you don’t know well. Also, use appropriate strategies to secure remote access to your network, even from authorized users.
- Multi-factor authentication. Hackers could be looking for 2FA codes, as they are impossible to bypass using traditional hacker tools against passwords. Never share them. The point of two-factor authentication is to keep you safe. If you give away those codes, you will be beating their purpose.
- Personal information. Personal details are also valuable for social engineers. Things like your full name, the schools you attended, other jobs you’ve had in the past, your children’s names, or your wives. All these things can help them gain credibility in subsequent social engineering attacks. Mind your privacy.
Social engineering attacks and free online content consumption connection
Social engineering attacks and free content consumption on movie sites are not necessarily directly correlated, but there are some ways in which they can be related.
One way these two things can be related is that free movie websites can be used as a tool for social engineering attacks. For example, an attacker may create a fake streaming site similar to a legitimate one and trick users into providing personal information or downloading malware. These attacks fall into the phishing category and can be very effective. Especially when the attacker makes the fake site look convincing.
Additionally, people who use free streaming platforms may be more vulnerable to such attacks since they may be less likely to have up-to-date security software or be as careful about what they click on or download. This can make them easier targets for attackers who use social engineering tactics.
It’s critical to remember that not all free streaming sites are created equal. This is why a reputable, paid streaming service may offer better protection against these attacks.
FAQs
Quid pro quo, pretexting, baiting, piggybacking, and tailgating are common tactics in social engineering attacks.
A social engineer manipulates people to divulge confidential information or perform harmful actions. A typical method to accomplish this is to exploit the trust and emotions of the target. A social engineer may use information or actions obtained through social engineering for various malicious uses. Those include identity theft, financial fraud, and malware spread. The ultimate goal of a social engineering attack is to gain unauthorized access to sensitive information or systems — or to cause harm to individuals or organizations.