What is Social Engineering?
Unlocking the power of persuasion and the allure of deception, social engineering has emerged as a formidable threat in the digital age, enticing cybercriminals and captivating security experts. So, what exactly is social engineering?
Social engineering refers to the stealing of personal information, such as passwords and financial information, in order to gain control over a computer system through persuasion, deception, or manipulation of a victim. Social engineers trick their victims into making security mistakes such as giving away sensitive information by using psychological manipulation.
In this article, we will explain how social engineering occurs, outline the different types of social engineering attacks, and show how to prevent them.
How does Social Engineering Happen?
Social engineers first investigate a potential victim to obtain background information needed to proceed with the attack. These include potential points of entry and vulnerabilities in security protocols. The attacker then uses a form of pretexting, such as impersonation, in order to gain the victim’s trust and induce subsequent steps that does not adhere to security practices, such as granting access to critical resources or giving away sensitive information.
Types of Social Engineering Attacks
There are many different types of social engineering attacks as it can be performed whenever human interaction is involved. The most common forms of social engineering attacks are: Phishing, Baiting, Tailgating, Scareware, Dumpster Diving, and Quid Pro Quo.
Phishing
Phishing refers to the acquisition of sensitive information by impersonating a trustworthy party such as banks, service providers, government agencies, and even family members. These attempts can come in multiple forms, such as emails, text messages, or phone calls. These messages induce a sense of urgency, curiosity, or fear in the victims, prompting them to reveal sensitive information, opening links to malicious websites, or opening attachments that contain malware.
Baiting
Social engineers use false promises to lure victims into a trap, which may steal personal and financial information or infect computer systems with malware. The most common form of baiting uses physical media, such as hard disks and thumb drives to spread malware. These malware-infected devices are left in conspicuous areas that can be seen by potential victims. When inserted, the malware will be automatically installed into the system. Online baiting scams exist in the form of advertisements that tempt the victim to click on them, leading them to malicious sites or coax users to download malware-infected applications.
Tailgating
Tailgating is a physical breach where the perpetrator uses manipulation to make their way into restricted areas. For example, the perpetrator, disguised as a delivery driver, is granted access to a restricted office as an employee opens the office door for them, therefore granting access to the building. This tactic is also known as “piggybacking”.
Scareware
Scareware involves bombarding victims with false alarms and threats, such as their devices being corrupted or infected with malware. This prompts them to install software that grants remote access for the attacker. Victims may also be required to pay the attacker, most commonly in the form of bitcoin, to preserve personal items the attacker claims to have, such as personal photos or videos.
Dumpster Diving
As the name suggests, this attack occurs when attackers search for sensitive information in the garbage when it has not been properly cleaned or deleted.
Quid Pro Quo
This attack occurs when the attacker requests an exchange of sensitive information or money for a service. For example, an attacker posing as an IT expert may offer IT services in exchange for login details. Therefore, never accept an offer that sounds too good to be true as it is most likely a scam.
How to Prevent Social Engineering Attacks
How do we prevent ourselves from becoming a victim given the multitude of social engineering attacks, which may conceivably grow over time? The simplest answer is not to trust anything online. But we do not need to take such an extreme paranoidal position. There are several common-sense practices we should adopt to stay safe on the Internet.
Never open email attachments from suspicious sources
Even if an email appears to come from someone you know, if the message header appears suspicious, do not open it. When in doubt, contact the person directly.
Use Multi-Factor Authentication (MFA)
User credentials are one of the most important pieces of information that is sought after by attackers. MFA adds an extra layer of security to your confidential information and protects your account in the event of an attempted attack.
Beware of tempting offers
An offer that seems too good to be true should not be trusted. Verify if the offer is true or otherwise through other independent sources, such as looking up the topic using a search engine.
Clean up your social media accounts
Social engineers comb through the internet to search for any information they can find on a person. Posting too much information about yourself can leave you vulnerable to phishing scams.
Install and update antivirus and other software
Ensure that you have automatic updates of your antivirus applications and all other software applications turned on. Check to make sure that the updates have been applied periodically and scan your devices regularly (even daily if practical) for infections.
Back up data regularly
Backing up your critical data is highly important. A cyber attack in most likelihood will leave your hard drive corrupted and inaccessible. Backing up your data on an external hard drive or in the cloud allows you to have uninterrupted access to your critical data.
Do not plug in an unknown USB to your computer
If you discover a USB drive that is unattended, do not use it as it may be infected with malware. It may even give remote control of your device to an attacker. Disabling autorun on your device is also recommended.
Destroy sensitive documents regularly
Documents containing sensitive information, such as bank statements, should be physically destroyed to prevent dumpster diving. Shredding or incinerating the documents regularly will prevent you from being a victim of dumpster diving.
Conclusion
Social engineering can happen to anyone. Even the smartest and most IT-savvy people are not immune. While we cannot stop cyber criminals from carrying out social engineering attacks, awareness of the best practices on how to prevent such crimes will go a long way to countering them. Everyone can play a part in sharing and spreading these best practices so that there will be fewer victims of social engineering attacks.