Social Engineering 101
Welcome to our series of blog posts dedicated to Cybersecurity Awareness Month! This month, we will update you with the latest security news, share some tips and tricks as well as a special announcement about our very own Cybersecurity Techxpo on October 23, 2018 here in NYC. Stay tuned!
Social engineering is the art and science of human manipulation to acquire confidential information. Social engineers take advantage of the weakest link in security, humans.
Social engineering has less to do with technical, and more to do with emotional responses. For instance, a technical hacker would look for vulnerabilities in the network or software. A social engineer, on the other hand, would exploit the end user’s tendency to trust and pose as an authoritative or familiar figure in order to obtain the information. Before you know it, you might have given the hacker thousands of dollars, thinking you transfer it to Stacey from Accounting.
Given the expansive growth of social engineering and the lack of user awareness today, it is extremely important for businesses to be aware and put security protocols in place to prevent such disasters from happening. But first, we are exploring the types of social engineering attacks that hackers employ.
The types of social engineering attacks
Aka the most common type of social engineering attack. Imagine going fishing, with the attacker as the fisherman and the end user as the fish. The bait is dangling in front of the end user, waiting for them to take action. Despite its infamy, it remains quite successful.
Typically, the hacker sends an email or a text to an unsuspicious target to seek information. The message would appear to come from a trusted source by the victims, such as a bank or a business partner. The message would prompt the user to click on a link to log into their account. The user would then be taken to a fake website, and if they log in to that website, they effectively hand over their credentials to the attacker.
2. Spear Phishing
If phishing attack users on a large scale, spear phishing is its subset. Similar to phishing by nature, spear phishing employs even more sophisticated information gathering techniques to target a very specific set of users (“spear”). Because the hacker does the due diligent in learning about these users, this attack has a higher success rate than phishing.
Yet another subset of phishing, but this time with voice instead. Typically, the attacker employs the phone to trick users to hand in information. Attackers can recreate the IVR (Interactive Voice Response) system of a trusted company, attach it to a toll-free number and trick people into responding to the prompts and entering their details.
Pretexting is all about storytelling. A lot of us has, at one point, received a sobbing message from a distant friend who is in distraught and in dire need for some money transfer. A lot of us has fallen for that sob story and sent attackers money instead. Attackers impersonate another person that we know, or an authoritative figure, in order to extract information and financial gains from the victims. Probably not a good idea to respond to an email titled “URGENT!!!!!!” seemingly from your CEO, but the email has spelling mistakes.
Remember the Trojan horse of Troy? Baiting is similar - hiding malicious devices inside a seemingly harmless carrier. For instance, attackers might leave infected USB drives in public with files titled “Bonus” or “Private Information” in hope someone naive will use it on their devices. More recently, these baits can be found on the Internet, disguising as download links.
6. Quid Pro Quo
Disguising the attack as a favor is another method attackers employ. Attackers would pose as technical support, and call up employees to claim that they’re contacting regarding an issue. Would you be more likely to give someone on the phone information about your credentials if they’re Tech Support helping you with productivity?
Quid pro quo also involves an exchange of something with the victim, like gift or money for information.
Another type of attack would be taking help of an actual authorized person to access restricted areas. It can be as simple as simply following behind them.
These are the most common types of social engineering attacks. In the next blog post, we will discuss how to prevent yourself against such harm.
Don’t wait until sensitive data is already in the sticky hands of hackers to react to a breach. Stay proactive with MDS and work with us to build out a custom, company-wide security protocol that is effective and easy to maintain.