What is Social Engineering?

Social engineering (SE) sounds like some kind of futuristic, scientific experiment, but the core of it is very simple to understand. Social engineering is the art and skill of psychologically manipulating people to take a certain course of action or share some type of information. Social engineering can take place online or offline, but online SE has been running especially rampant over the past decade. Depending on the skill of the engineer and what he seeks to gain, the SE scam can either require inciting the victim to take quick, impulsive action, or it may involve gaining the confidence of the victim first. It can also either be a quick and simple one-time attack, or it can occur in elaborate stages over an extended period of time in the case of confidence schemes.For instance, in a multi-stage SE campaign, a thief will start off with some reconnaissance by determining the kinds of victims he wants to target, narrows down a list of specific targets, and does research on them to learn as much about their personal lives as possible. Such information may include where they live, their hobbies, and people they interact with every day. Then they will engage with the victim in the second stage through a typical channel like a phone call or email; this may involve pulling from research to concoct a plausible story that involves one of their friends. In the third stage, they’ll go for the acquisition by escalating the story with a fabricated incident like an emergency that requires money immediately, or they’ll convince the person to share credentials that give them immediate access to a portal or account from which they can steal money or sensitive data. The scam then comes to an end in the final stage with some kind of believable explanation, such as “the issue has been resolved,” or “an account is being transferred elsewhere.” The victim will naturally believe this closing explanation and not bother to look into it further until and if something suspicious surfaces down the road. By then, the thief will be long gone or will have covered his trail.What can you do as a user to avoid falling into such a trap? The first step is to be aware of the different types of social engineering plots out there that thieves employ to strike their victims. From there, you need to keep some key tips in mind on how to thwart these attacks that could be costly to your personal and/or professional life. Here’s an overview of the different forms of social engineering and suggestions on how to prevent SE attacks.

Types of SE

Baiting

Baiting in SE is much like baiting in everyday life. It involves enticing the victim with something appealing to reel them into a vulnerable scenario that allows the thief to obtain sensitive information or to plant a malicious tool like malware to steal something from the victim.In the online world, baiting is usually carried out through advertisements on a web page or posts on a social media site that offer something like a free movie download or product discount when you click on a provided link. On mobile devices, baiting may also take form as a browser pop-up message saying “Congratulations! You’ve won a free iPhone! Click here to claim your reward!” Once the victim has been successfully lured to the site, he will either download a fake movie that is actually malware that will infect his computer, or he will make a purchase for the product that was in the ad but will never receive it.Digital baiting can even take a simple approach that starts in the offline world. For instance, hackers may put up a fake display promoting a movie subscription service, offering free copies of a movie on USB flashdrives. This kind of display might be sneakily set up in conspicuous places like hotel lobbies or stores where unsuspecting passersby will not even doubt that the display and flashdrives are legit. But once they take these drives home and open them on their devices, the flash drive will automatically install malware on their devices.Baiting truly relies on the curiosity or greediness of victims to draw them in. Therefore, baiting tactics typically utilize eye-catching colors and lines like “Download Instantly!” but with the look of authenticity with logos or “as seen on TV labels” to get victims to trust a baiting ad enough to respond with action.

Phishing

Probably the most infamous form of SE, phishing is an attempt to acquire valuable information that can be used to access sources of even more information, usually sensitive data, or money. Phishing campaigns are typically launched through email messages, which appear to be from legitimate or familiar entities such as banks or online market places, and the emails ask the recipient to login to their account to update some information. However, if the user falls for the trap and visits the fraudulent site and “logs in,” he has just handed over his account credentials to the thief, who then uses these credentials to login to the real bank account or ecommerce site to steal money or make purchases with stored credit card information. Phishing is especially deceptive because the fake email will look almost identical to the emails the victim receives from the real place of business, presenting the exact same font, formatting, logos, etc. But recipients of the emails who look closely enough may notice some red flags, like URLs that do not match those of the real entity, or gross misspellings in the messages.

Spear Phishing

Crafty cyber thieves who want to launch high-level attacks go for spear phishing, a specialized form of phishing that targets a specific individual or entity like a business corporation, as opposed to regular phishing schemes that go out indiscriminately en masse to people. This scam is much more elaborate because it requires preliminary research on the individual, the company they work for, or known associates he may have. In spear phishing, a message appearing to be from a familiar person or department like an IT technician or HR department is sent to an individual. Using familiar company or industry jargon and alluding to outstanding issues or topics the recipient is aware of, the message will ask the victim to update his password in the company’s online portal, or download some kind of corporate-approved anti-virus program on their computer by a certain deadline. Unbeknownst to the recipient, however, the link that takes him to the portal is actually a farce that will capture his corporate account credentials, or the anti-virus program he downloads is actually malware that will infect his computer with spyware. By obtaining sensitive information this way, spear phishers can infiltrate an entire organization by using the credentials or infected computer of one employee to glean more valuable data from corporate networks and websites, like corporate credit card information and databases full of proprietary information like trade secrets. Spear phishing is often a long-term effort that can span weeks, months, or longer.

Pretexting

Pretexting differs in certain ways from phishing in that it directly asks the victim for specific types of information or money, as opposed to tricking him into logging into a false account or downloading a program from which the thief indirectly obtains what he is seeking. In a pretext scheme, the perpetrator may call or email the victim, posing as a representative from an authority like a police station or state health department. They may also claim to be a representative for a charity or a friend of someone the victim knows. The caller or email will usually create a sense of urgency by saying that a sick child will die if a financial donation is not made for medical care, a past due balance will result in a lawsuit if not paid right away, or some personal records are not complete and require the victim to send or verify his social security number.Pretexting also operates by gaining the trust of victims, usually achieving this by giving the impression of authority with badge numbers or referencing certain laws, or confirming details about the victim the scammer obtained through background research. In addition, pretext thieves may also try to pressure victims into taking quick action so that they don’t have time to think or check the validity of the call or message.

Scareware

Scareware operates similarly to baiting in that it works by catching the eye of targets. However, where it differs is that it uses fear to drive victims to action instead of something attractive. Scareware can consist of advertisements or pop-up messages on web pages alerting you of malware present on your computer that can be removed by clicking on the ad’s link. Spam emails may also contain scareware advising users to immediately protect their identities or computers by purchasing a security service subscription using a provided link.Similar to baiting and phishing, the ultimate goal of scareware is to trick users into purchasing a fake product to steal their money, or leading them to download malware disguised as anti-virus protection to capture sensitive information and transactions performed on their computers.

How to Avoid Social Engineering Attacks

No Matter What, Proceed Slowly

Particularly in scams that create a sense of urgency or make threats, scammers count on their victims to react impulsively without thinking first or noticing any subtle details that are usually red flags. Even if an authentic-appearing email seems pressing, re-read the entire message from beginning to end. Also, double-check some details by doing a quick Google search or contacting the apparent sender of the email to confirm if it was really him or her who sent you the message.

Beware of Red Flags and Reply Only to Trusted Sources

As you proceed with caution through your email inbox, if the subject line of a message is even slightly suspicious, don’t’ trust it; delete it. If you do open an unfamiliar email, watch out for obvious red flags, like offers that are too good to be true and sob stories from charities or random people saying that they need money right away and have no one else to help them. Any messages purporting to come from businesses asking for personal or account information are definitely telltale signs of a scam.

Multi-Factor Authentication

Make it harder for thieves to break into your accounts by requiring multi-factor authentication for logins. Login credentials are hot commodities in the cyber theft world, so they are prime targets for thieves. But with multi-factor authentication that requires verification with randomly-generated, time-sensitive codes, the thieves’ efforts to break into your account with only a password can be rendered useless.

Keep Security Protection Up to Date

One of the best ways to ward off online perpetrators is to stay steps ahead of them with preventative measures like anti-virus protection. But anti-virus programs can’t be fully effective if they’re not updated with things like fixes for software vulnerabilities or safeguards against new types of attacks. Always check the status of your anti-virus application to make sure it stays current.

Arm Yourself with Knowledge

Social engineering, unfortunately, is a vast area of cyber theft that may become more sophisticated and stealthy as technology advances. If you would like to develop a deeper understanding of SE and how it works, start with the catalog of cyber security courses from Cybrary.

• End User Email
• End User Security Awareness
• Social Engineering and Manipulation