Posted in:

Social Engineering: Attack Techniques and Prevention

© by Image courtesy of www.dreamstime.com

Social engineering is when a perpetrator employs the art of deception to manipulate a person to divulge privileged information unsuspectingly. Social engineering could also refer to the techniques used to initiate a process that leads to the attacker gaining access to a company’s critical resources.

As long as you are an online user, you may be a target of social engineering at any time. So it’s no wonder why security experts always encourage online users to stay sharp. If you play slots online, for example, you should ensure that you are playing on a trustworthy platform that operates using an appropriate license. And even then, reinforce your account’s security access using the likes of two-factor and multi-factor authentication to make it more difficult for attackers to get to you. But, of course, there are so many other ways that online users can bolster their security, but before we cover more prevention measures, let’s first look at how the attackers do it.

Launching a successful social security attack requires careful planning and studying human psychology and sociological patterns before the final execution. There are several methods that social engineers will employ to ensure they are successful in their attempts. Again, the good news is that all these attacks can be avoided. Some of the most common social engineering attack approaches include:

Phishing

Phishing is the most popular form of social engineering attacks because it consistently works. 77% of all social-based hacking is done through email phishing. Other common phishing variants are vishing, where the victim is targeted by voice call, and SMiShing, where text messages are sent to solicit information from a heedless informant. The aim here is to get the target to believe that they are being contacted by a legitimate party and eventually steal their identity or someone else’s. Phishing is typically based on sending out random emails or texts and praying that some naive ‘phish’ bites the hook.

Spear Phishing

Seeing as phishing is the most effective technique, most phishers have tailored their attacks to specific groups of individuals. Such high-level attacks are called spear phishing as they specifically target persons of interest. Some examples of spear-phishing include:

  • Angler Phishing

Here, the attacker uses a spoofed customer service account of a reputable company and targets dissatisfied customers to try and extract critical personal data to be used in a future more elaborate attack.

  • Business Email Compromise (BEC Phishing):

The perpetrator masquerades as a senior executive in a company and tries to get junior employees to take actions that will lead to the company being defrauded. Ruminating on the potential consequences of denying a senior executive’s request will cause the more junior staff member to act without carrying out any due diligence and end up initiating a wire transfer or disclose sensitive information.

  • Whaling or CEO Fraud

The phisher goes straight for the ‘big phish,’ who are high-ranking officials such as board members or CEOs. This requires taking the time to study the individuals, even gathering some basic information, usually by scouring social media pages, before striking by sending emails that look as legitimate as possible.

Pretexting

This is a classic strategy where the attacker comes up with a believable story, impersonates parties that are already trusted by the victim, like someone from the IT department or financial institution the victim uses. Usually, the hacker has already done some research on the target before the first encounter, and establishing trust by including familiar characters and details is a walk in the park. This leads to the target willingly disclosing as much information as possible, based on the pretext’s plot. It may be via a phone call or in-person, which poses the highest risk for the scammer.

Baiting and Quid Pro Quo Attacks

Baiting is done in a very calculated manner as it involves attracting the target’s attention in a way that will make it difficult to resist. The victims, in this case, are usually individuals driven by some form of desire to become rich quickly or to get crazy discounts at convenience stores. In baiting, a promise of a reward or an interestingly titled USB token may make the target take actions that will lead to some severe damage.

On the other hand, Quid Pro Quo promises a prize in exchange for an action or some information. For example, you may have come across links shared in WhatsApp messages prompting you to forward to at least 10 contacts for a chance to win some quick cash. Unfortunately, if you share such links, you have participated in a quid pro quo transaction with the attacker, and if you further click on links, you have taken the bait, exposing your device to malware.

Scareware

While the other methods involve bait or asking nicely, scareware uses fear tactics to create a sense of urgency with the threat of imminent consequences. The aim may be to prompt the user to purchase useless products or unknowingly install malware, thinking that they are solving a security problem. The scam software may be a registry cleaner that promises to benefit the user by helping optimize their PC for free. However, once the user initiates the cleanup process, there will be errors that can only be solved if the victim buys some kind of package.

Preventing Social Engineering Attacks

Most organizations are savvy of social engineering attacks, and they will regularly train employees on the different attacks to watch out for. How can anyone protect themselves?

  1. Never share personal data via email or phone call unless you are absolutely sure of the person on the other side. Likewise, don’t just forward information to a reply address without verifying its validity.
  2. Be on the lookout for unsolicited emails or messages that ask for financial details, passwords or such personal data, claiming to be from legitimate sources. 
  3. Don’t download any attachments from sources that you are not sure about, however tempting this may be.
  4. Don’t share too much information on social media.
  5. Never install software recommended by random websites claiming to have detected malware on your computer. Websites don’t have information about security issues on your device. Instead, get an antivirus program from a reputable source and keep installing operating system patches as soon as they are available.
  6. Before entering any personal data on a site, make sure it is valid and secure by checking that the URL starts with HTTPS.
  7. Keep on the lookout for browser warnings that will alert you when you visit deceptive sites and take heed.
  8. Secure your user accounts with MFA or 2FA so that if a password accidentally gets leaked, the next level in the security hierarchy stops an attack.

Stay safe!