What is Social Engineering and How to Spot it
Social engineering is a term used to describe a range of malicious activities that exploit human psychology to gain access to sensitive information, manipulate people into taking certain actions, or compromise security systems. It’s essentially a form of psychological manipulation that cybercriminals use to deceive individuals or organizations and obtain confidential information or access to computer systems. There are many forms of social engineering attacks.
Here are some common forms of social engineering:
Phishing:
Phishing is one of the most common social engineering techniques. It involves sending fraudulent emails or messages that appear to be from a legitimate source, such as a bank, a trusted organization, or a coworker. These messages typically contain links or attachments that, when clicked or opened, can lead to the theft of login credentials or the installation of malware.
Pretexting:
Pretexting involves creating a fabricated scenario or pretext to obtain personal information from someone. For example, a pretexter might pose as a bank employee and call a target to request sensitive financial information under the guise of a routine account verification process.
Baiting:
Baiting usually involves offering something enticing, such as a free software download or a video, which is infected with malware. Users are tricked into downloading the malicious content, which can compromise their devices or steal their data.
Shoulder Surfing:
This is when someone is looking over your shoulder to view confidential information like passwords, passcodes, pin numbers etc.
Tailgating:
This technique involves physically following an authorized person into a restricted area, like an office or data center, by closely trailing behind them without proper authorization. Tailgating takes advantage of a person’s natural inclination to hold doors open for others.
Impersonation:
Cybercriminals may impersonate someone else, often a trusted figure, to manipulate victims. This could be an executive within a company or a colleague. The goal is to trick individuals into revealing sensitive information or carrying out specific actions.
Spear Phishing:
Spear phishing is a targeted form of phishing where the attacker customizes their approach for a specific individual or organization. They gather information about the target, such as their interests or job responsibilities, to create more convincing and personalized messages.
Vishing:
Vishing is voice-based phishing. Attackers use phone calls or VoIP systems to impersonate legitimate organizations or individuals and trick people into revealing personal information or taking specific actions.
Smishing:
A human based attack where the threat actor extracts information using SMS text messages.
Scareware:
Scareware is when the victim is feels threatened by false alarms or fake threats.
Usually malware or virus related, claiming you have been infected with either, so to fix it you must download such and such software to remedy the issue, trouble is the downloaded software to fix the problem is the actual point of infection.
Whaling:
Threat Actors target wealthy individuals or organizations.
Pharming:
Threat Actors set up fake websites that look like genuine reputable company websites, with almost identical website addresses, in hope the victim arrives to the site via a typo or spoof link.
Vulnerabilities
- Human Nature
- Ignorance
- Fear
- Greed
- Moral Obligation
Key Stages to a Social Engineering Attack
- Research
- Select Target
- Develop Relationship
- Exploit Relationship
Twitter fell prey to a social engineered attack. No real hacking just people’s weakness exploited.
Some Examples
- You’re taking a break from your company work in the smoking area you’re approached by another requesting you connect a Flash drive to your computer system when you return to work.
- A delivery driver carrying heavy boxes requests you let him into the building, your kind and feel obliged to help him.
- You pick up a flashdrive in the carpark, you insert it into your work pc to see what it contains.
- You’re at home and receive a telephone call from the Microsoft IT department claiming your system is reporting multiple problems.
- Your social media friend asks you personal questions, you have never met this person but have been friends online for sometime.
- You receive a text from a family member claiming to have a new number.
- This one is my favorite. You receive an email from a Nigerian Prince claiming you’re the heir to a vast fortune.
- You receive an email claiming your amazon parcel couldn’t be delivered because no one was home, but you never ordered anything.
These are all clear indicators of a Social Engineering attack. You Must always verify who it is no matter what.
Conclusion
Social engineering attacks are effective because they exploit human vulnerabilities, such as trust, curiosity, and a willingness to help others. To protect yourself or your organization from social engineering attacks, it’s crucial to be cautious and vigilant. Educating employees about these techniques, implementing security policies, and using security tools like firewalls, antivirus software, and multi-factor authentication can help mitigate the risks associated with social engineering.
Thats All Folks!
Ethical Hacking Guides
We have many guides to help you on your journey into the world of Ethical Hacking. If this is something you find interesting, please take a look here today: Ethical Hacking Guides.
Recommendation:
ALFA Network Wi-Fi Adapter: https://amzn.to/3QbZ6AE
This Wi-Fi adapter is essential if you are to learn Wi-Fi Hacking.