The news about people losing money from their bank accounts or a Company facing disruption of their business operations has become commonplace in today’s world. Yes, Social Engineering attacks are playing a spoilsport in the lives of people and Companies.
Let us understand Social Engineering, examples, effects, types of Social Engineering, and how to prevent Social Engineering attacks.
What is Social Engineering?
Social Engineering is a method used by cybercriminals to manipulate unsuspecting people into compromising their security, transferring money, or reveal sensitive information.
Humans are the weakest link in the cybersecurity process, and Social Engineering hackers exploit the natural tendency of human nature to trust people to divulge confidential information.
With the defensive techniques getting more vigorous by the day, it is more convenient for hackers to use Social Engineering attacks to infiltrate into a Company’s infrastructure/application security. They rely on human error instead of vulnerabilities in infrastructure/application systems. For example, it is easier to fool people for passwords than to use brute force to get the password.
The attackers may contact their targets by telephone, meet them in person or send SMS or it can be in the form of sending emails with an attachment that contains malware.
Effects of Social Engineering:
Social Engineering attacks can result in:
- Loss of reputation and money
- disruption of services,
- Loss of sensitive data and more.
Types of Social Engineering:
The different forms of Social Engineering are:
Phishing: This is the most common form of Social Engineering attack wherein the attacker impersonates a known person, Company, or system and sends an email or text message to the victim by creating a sense of urgency, fear, or curiosity in them.
For example, the victim might receive a mail requiring an urgent action from their end to change a password, failing which their subscription to a particular site might get canceled. The email provides the user with a link to an illegitimate website that looks like the actual website, prompting the user to submit the present credentials and new password. Upon submitting the details, the attacker gets the information.
Vishing or voice phishing: Here, the targets are called by the attackers and tricked to reveal sensitive confidential information or direct them to a phishing site.
Pretexting: Here, the attacker obtains information by impersonating police, co-workers, or any other person who has the authority to know certain information. By gaining the trust of the victim, he pretends to need sensitive data and collects the same for his malicious need.
Scareware: Here the victims are fed with false alarms and threats through pop-up banners appearing in the browser while surfing the internet or by spam emails, such as their system being infected with a virus and prompts them to install software that will contain malware. The victims may also be directed to a malicious site wherein the victim’s computer becomes infected.
Tailgating: It is also called piggybacking, wherein the attackers without proper authentication follow an authorized person to get inside the restricted area to achieve his needs.
Honey trap: The potential victim is honey-trapped into a fake relationship by the attacker who pretends to be an attractive person, to obtain sensitive information.
Baiting: In the online form, the users are enticed with bait, in the form of goods such as a free download which can include malware to reveal their login credentials.
In the physical form, the attackers leave flashware infected with malware in places like bathrooms, elevators, etc., in such a way where the victims are bound to see them.
The victim, out of curiosity picks up the bait that looks authentic, uses it on his home or work computer resulting in the installation of malware in his system.
Quid Pro Quo: It means something for something. The attacker usually impersonates IT service personnel, calls the victims, and promises a benefit usually in the form of service, in exchange for login credentials.
How to prevent Social Engineering attacks:
It can be dealt with by the following means:
- Do not open email attachments from suspicious sources
- Usage of Multifactor authentication
- Do not be tempted by enticing offers.
- Education on Social Engineering attacks.