Back to Insights

What Is Social Engineering? | Examples & Prevention Tips.

Cyber security 06/24/2020 - 13:34 by Swami Nathan

Social engineering is a growing field and security teams should be aware of the activity of each user to interfere if necessary, with your users at their last line of defence. You, as an end-user, however, have a responsibility to monitor your own activities. Here are some tricks and tips to get started.

What is Social Engineering?

The act of tricking others into sharing knowledge or taking action, usually by technology, is social engineering. The idea behind social engineering is to tap into the natural tendencies and emotional reactions of a potential victim.

A typical hacker might be looking for a vulnerability in the software to access a computer network. However, a social engineer might pose as an individual providing technical support to trick an employee into revealing their login credentials. The fraudster hopes to appeal to the willingness of the employee to support a friend, and maybe to act first and think later.

How is Social Engineering Functioning?

For most social engineering attacks, the first step is to collect information about the target.

For example, if the target is an enterprise, attackers can leverage poor OPSEC (Operations security) practises to gather online and in-person intelligence on organizational structure, internal operations, industry jargon, third-party vendors and other social media profiles listed in publicly accessible information.

In many cases, a low-level employee whose login credentials can be used to gain access to internal information that can be used for spear phishing or other more targeted cyber threats will be the first target.

Attacks on social engineering expose sensitive information, such as social security numbers or credit card numbers, leading to data breaches of personal identifiable information (PII) and protected health information (PHI) leaks.

Examples of Attacks by Social Engineering –

The attacker may take whatever type of disguise as mentioned above, but the most popular forms will be listed here. In order to infiltrate your network, the cyber criminals update themselves daily and even you should be extremely cautious about your online security. Also be alert if you give your private credentials to the other.

The examples mentioned are variants of others. There are many others as well, but it was described as the most common. Each of them seek to customise you. Social Engineering, as the name says, is simply how an individual can be fooled into giving up something to the person who gains his trust.

Clickbait Technique

Term clickbait refers to the technique by which individuals are stuck via a deceptive link with enticing headlines. Cyber criminals benefit from the fact that most legitimate pages or contents do use a common tactic to attract readers or viewers.

The attacker sends you enticing ads in this method relating to games, movies, etc. Clickbait is most often used with tempting ads during peer-to – peer networking systems. If you click on a certain Clickbait, it is possible to install an executable command or a suspicious virus on your machine which leads to hacking.

Sending Content to Download

The intruder will send you files that contain songs, videos, games or documents that just seem to be perfect. An internet newbie will think about how lucky his day is, that without asking he has got his wanted stuff. He knows little that the files he just downloaded are embedded as viruses.

Uninvited Technical Support

Technical support scams are becoming widespread and can have an industry-wide impact. This tactic involves fraudulent attempts to frighten people while putting them into the thought of their device having something wrong. Attackers behind this scam are trying to make money by tricking an individual into paying for the never-existing issue.

Offenders usually send emails to you or call you to fix device problems. Mostly, they tell you there’s a need for an update. If you are not mindful of this bug, you may be in danger of landing yourself. You might be asked by the attacker to run a command on your system which will result in it becoming irresponsive.

That belongs to the Social Engineering division known as scareware. Scareware means bombarding the victims with false alarms and fake attacks. Users are tricked into thinking that their system is malware-infected, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is often referred to as programme for the deception, rogue scanner and fraud ware.

Pretexting

An intruder here obtains details through a set of smartly constructed lies. The scam is often initiated by an offender who pretends to require a victim’s sensitive information in order to perform a critical task.

Usually, the attacker begins by building trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons with the right to know authority. The pretext asks questions which are ostensibly necessary to confirm the identity of the victim, through which they collect important personal data.

This scam collects all kinds of relevant information and records, such as social security numbers, personal addresses and telephone numbers, telephone records, staff vacation dates, bank records and even physical plant security information.

Phishing Attack

Phishing aims to gain personal details.

Phishing includes believing that you trust others. Attackers may pretend to be a personal friend, a bank, or even a government part. Upon establishing contact, they usually try one of two tactics.

If they pretend to be a friend, they can send an email from the hacked email account of your friend, or from one which looks alike. This type of attack is successful because people are less suspicious of the names or individuals they trust.

Others may try to frighten or bully you. The attacker may try to persuade you to have a virus on your computer and then direct you to a website to download a fix for the software. It will load malware onto your system if you download the programme.

Fake Email from Someone You Know

Another tactic that the offender uses is to send you an email from the email address of your friend or relative who claims he / she is in danger. That email ID is going to be hacked, and with that perception, you’ll most likely fall to this attack. The email sent will have the information you should provide, so you can release your contact from the threat.

Tips to Help You Avoid Being a Victim of Social Engineering

What can be done to guard your system against this common form of cybercrime? Here are tips to help you avoid attacks by social engineering.

1. Make sure employees don't repeat passwords

As a rule, our conduct with passwords is very bad. Passwords are reused across multiple accounts. We use common easy to crack passwords. And when we do, we don’t change our passwords.

2. Ensure employees do not disclose information relating to business online

Many companies would introduce NDAs to prevent workers from sharing online sensitive information about their company, but what people can post on Facebook without thought is still unbelievable.

3. Maintain software update

Updates ensure your system remains stable. It is just as plain as this. Failure to update your software can leave loopholes in which attackers can crawl into. Any threats stemming from attacks on Social Engineering will be more difficult to defeat if your system is vulnerable.

4. Keep all equipment and endpoints secure

Cyber security programmes cannot prevent human errors but, once they are known, they can deal with threats quickly. This will only work, of course, if you operate best practise security on all devices and endpoints within your business. This element is beyond your power so make sure you obey these information security guidelines.

5. Educate yourself and all staff about the types of attack

Most of those attacks are successful because they don’t know what employees are looking for. They are busy and under pressure to deliver, so they don’t stop questioning a boss’s email asking for ‘urgent action’ – they’re just doing what they’re being asked.

6. Check before clicking on a link

Phishing emails will often attempt to direct you to a URL – which will usually end up infecting a virus on your computer. If you’re not sure if an email is genuine, before you click here are a few things to check.

  1. Be sceptical of any URL that has a bunch of special characters in it.
  2. If the link comes in an unsolicited e-mail, watch out. For example, if the email looks like it's from your bank, go straight to the bank's website to see if you can access the page from there. If not, this is definitely a scam.

7. Never abandon sensitive information

Phishing emails and scam calls often attempt to persuade victims to reveal confidential information. They need to know that this is never a good idea for your workers.

You may need to develop the organization’s policy on how confidential data is treated.

How Teceze Can Avoid Data Breaches and Leaks?

Teceze is an expert in preventing Data Breaches. Teceze can prevent data breaches and data leaks, avoid regulatory fines and protect the confidence of your customers through cyber security ratings and continuous detection of exposures. We will also track the possibility of phishing your organization.

Teceze Vendor Risk can minimise the amount of time your organization spends managing relationships with third parties by automating vendor questionnaires and continuously monitoring the security position of your vendors over time while benchmarking them against their industry.

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Social engineering is a growing field and security teams should be aware of the activity of each user to interfere with users at their last line of defence.