What is social engineering?
Social engineering is the title of a broad range of manipulation techniques that exploit human mistakes in order to gain information. In other words, in a social engineering threat, the attacker tricks his target by using psychological manipulation.
How does it work?
As mentioned above, most of social engineering attacks occur after the attacker has a communication base with the victim. Earning trust is key to a successful scheme. In order to gain their goal, social engineering attackers usually follow four steps that create the social engineering attack cycle:
- Prepare– Gathering information on the target is the first step. The attacker must gather valuable intel such as the organizational structure or personal information about the target that the attacker learned from their social media accounts.
- Hook– Engaging with the target and establishing a relationship built on trust.
- Exploit the victim– Execute and advance the attack.
- Exit– disengaging and stopping the interaction.
Do you think you are targeted by an attacker? We can help! Contact us here
Types of social engineering
In social engineering the attacker uses human emotion to trick the target into making a mistake such as giving access to personal data or giving money to the attacker. It is usually done by emailing or texting, so it doesn’t involve any real conversation.
There are many techniques used in social engineering. Here are a few of the common ones:
Baiting- the name of this technique is self-explanatory. The attacker leaves a bait that he believes you’d take. It is usually a malware infected physical device like a USB drive left in public places, so it is most certainly to be found and used. Once you do- the malware is installed into your computer.
Phishing / Spear Phishing / Whaling- all three are similar, but with clear differences. The general explanation for all three is a malicious attacker pretending to be a trusted and legit institution or individual tricks the victim by texting or emailing them with an urgent or frightening request. This may eventually result with the victim making the mistake of clicking on links to malicious websites, for example.
The differences are:
Phishing is when the attacker doesn’t have a specific target. He just tries to make someone take his bait. Spear phishing in an attack that targets a specific victim. Whereas whaling is similar to spear phishing, only here the attacker targets a high-ranking victim.
Scare-ware- this type of social engineering technique is based on fear. The attacker scares the target with false alarms that makes the target think their computer is infected with malware. Then the victim is offered with a chance to fix it all by installing a software to protect the computer. However, in reality, it is the attacker’s real malware.
Pretexting- this type is a technique based on pure lying. The attacker pretends to be a part of an authorized institution like police or banks. Then the attacker tries to get personal information for the victim disguising it as an attempt to protect the victim.
Quid pro quo- the attacker promises a kind of reward in exchange for some personal information. This seems exciting and worthwhile for the victim since he isn’t giving much but expected to get a lot. However, the attacker gets what he intended, and the victim gets nothing.
Did this happen to you? Don’t freak out, we can help! Reach us here
How to protect yourself against social engineering?
- Be wary of emails and attachments from suspicious sources– don’t open them or click on any link if you don’t recognise the sender. And of course- do not respond. Not even as a joke because that will only provide the attackers with the information that the email address is valid and they will keep on sending those malicious emails.
- Be careful of tempting offers– they are too good to be true.
- Use strong passwords– never reuse the same password. Each one you have should be unique and combines with numbers, varied character types and of course- symbols.
- Don’t forget your antivirus software– make sure it is always updated.
Do you have any questions? Don’t hesitate to ask us here