What is Social Engineering?
Social engineering is the art of manipulating to attain confidential information. This is a sophisticated attack by hackers, aimed to use your empathy and sympathy to gain trust and ultimately gain undue access to the system. The information that these criminals are seeking differs from your official system or email password to your personal email, bank details, social media details, etc. Sometimes they also ask you to install a software that will give them access to your computer or phone and will enable them to trace all passwords and various account information.
3 Types of Social Engineering Tactics
1. In-person
36 percent of breaches are stemming from inadvertent misuse of data by employees. [1]
- Open door – By leaving a door open that allows access to data to any outsider.
- Technician – Someone pretending to be a cable guy or service technician and tries to gain access.
- Neuro-linguistic Programming – By trying to build a connection at the sub-conscious level.
- Open access – When you have left your computer unattended and someone uses it in your absence
- Bar Hopping – Trying to take out information when you are drunk.
- Baiting – When any device like flash drive, CD, etc are left willingly by the attacker so that the recipient shall insert in his/ her system. This way the malicious software gets downloaded in the system.
- Rogue employee – A malicious employee who want to gain access on the application.
- Social practices – Someone learns your social behaviour and uses social relations to gain your trust.
2. Digital Communication
Phishing is the common type of social engineering attack where 83% of all companies reported being affected by phishing attack in 2018. [2]
- Phishing – An attack in which the attacker represents a reputable entity or person in an email or through other communication channels.
- Pretexting – Malware sent through an email that looks trustworthy and appears to be sent from a known identity from that domain.
- Reverse engineering – The attacker executes a minor attack to expose a vulnerability and calls back for a paid service to fix the problem.
- Social media phishing – A social media account reflecting a trusted brand is created and the attacker shares the links of software that carries malware and impresses you to download.
- Friendly emails – When someone sends an email that appears to be the name of a known person like friend or colleague and ask you to download the attachment or share a kind of confidential information.
- Typosquatting – The attacker creates a website like the brand name of other products which often gets ignored by the user.
- Empathy and sympathy – When the attacker make use of any incident leading to national loss like natural calamity and sends the links to a malicious website asking people to donate.
3. Phone
Number of attacks using mobile malicious software nearly doubled in 2018 with 116.5 million attacks, compared to 66.4 million in 2017. [2]
- Vishing – An attacker calls or texts while pretending to be a legitimate banker or person and asking to share your confidential information like credit card details, bank account details, email id login, etc.
- Empathy and sympathy – Donation requests via messages or links are sent asking people to donate for a noble cause.
- Fear – The attacker calls in a state of anger in a known person voice, especially senior manager, and tries to control the act of the receiver so that he/ she shall share the confidential information.
- Panic – When a message is sent to create panic and disturb the receiver so that he/ she shall share the required details.
Remember that a social engineered attack is the process of someone getting you to think and act based on their actions. Much like any other cyberattack, a social engineered attack can also be avoided!
For more on this, keep an eye out for part two of the “Art of Manipulation” series by EC-Council University.
Sources:
- https://www.csoonline.com/article/2134056/report-indicates-insider-threats-leading-cause-of-data-breaches-in-last-12-months.html
- https://www.proofpoint.com/us/corporate-blog/post/2019-state-phish-report-attack-rates-rise-account-compromise-soars
3 Comments