Before we get started with different types of social engineering lets learn some basics of social engineering
What is social engineering?
When it comes to malevolent operations carried out through human relationships, the term “social engineering” refers to a broad spectrum of behaviors. It employs psychological manipulation to deceive users into making security mistakes or divulging critical information to third parties.
Social engineering attacks are carried out via a series of steps. A perpetrator initially researches the targeted victim in order to obtain the essential background information, such as potential points of entry and lax security standards that will be required to carry out the attack later in the day. The attacker then attempts to acquire the victim’s trust in order to offer stimuli for later acts that violate security norms, such as disclosing sensitive information or granting access to vital infrastructure.
Different Types of Social Engineering in cyber security
Phishing is a social engineering technique in which an attacker sends false emails purporting to be from a credible and trusted source, in order to get access to sensitive information. Using social engineering techniques, a social engineer could send an email that looks to come from a customer success manager at your bank, for example. If someone contacts you claiming to have crucial information regarding your account, they may request that you respond with your full name, birth date, social security number, and account number first so that they may verify your identification with them. At the end of the day, the individual who sent the email is not a bank employee; instead, it is someone attempting to steal confidential information.
Phishing, in general, casts a wide net and attempts to reach as many people as possible with its messages. However, there are a few varieties of phishing that are targeted specifically at specific individuals.
- Spear phishing
Spear phishing is a sort of targeted email phishing that targets specific individuals. In a spear phishing attack, the social engineer will have done their research and will have their sights set on a specific user to target. The attacker can develop a compelling, tailored attack by going through the target’s public social media accounts and utilizing Google to gather information about them. Consider the following scenario: a person posts on social media on a frequent basis that she is a member of a specific gym. In such situation, the attacker could send her a spear phishing email that appears to come from her local gym, fooling her into thinking it is legitimate. Because she recognized her gym as the alleged sender, the victim is more likely to fall for the hoax and become a victim.
Whaling is yet another type of targeted phishing scam.. In whaling, on the other hand, rather than targeting the typical user, social engineers concentrate their efforts on higher-value targets such as CEOs and CFOs. Whaling gets its name from the fact that it is used to target the so-called “big fish” within a corporation.
Baiting attacks, as the term implies, rely on making a false promise in order to stimulate a victim’s avarice or curiosity. They trick consumers into falling into a trap where their personal information is stolen or their computers are infected with malware.
Because it uses tangible media to distribute malware, baiting is one of the most reviled kinds of malware delivery. Examples include leaving the bait (usually malware-infected flash drives) in conspicuous settings where potential victims are certain to see them, or leaving the bait in plain sight (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic appearance, such as a label portraying it as the company’s payroll list, which adds to its authenticity.
Victims pick up the bait out of curiosity and insert it into a computer at work or at home, resulting in the automated installation of malware on the computer system.
Baiting schemes do not have to be carried out in the physical world in order to be effective. Baiting occurs online in the form of appealing advertisements that direct viewers to harmful websites or that entice them to download a malware-infected application.
Scareware is a type of malware in which users are inundated with false alarms and phoney threats. Users are led to believe that their system has been infected with malware, leading them to download and install software that has no practical purpose (apart from benefiting the perpetrator) or is malware in and of itself. Scareware is also known as deception software, rogue scanning software, and fraudware, among other things.
A classic type of scareware is the legitimate-looking popup ads that appear in your browser while you’re browsing the web, displaying language such as “Your computer may be infected with terrible spyware programs,” or “Your machine may be infected with harmful spyware programs.” It either offers to install the program (which is frequently contaminated with malware) for you or directs you to a fraudulent website where your machine becomes infected with malware.
Scamming software, sometimes known as scareware, is transmitted by spam email, which issues phoney warnings or makes offers to users to purchase useless or hazardous services.
Pretexting is a technique in which an attacker gets information by telling a succession of carefully designed lies. Perpetrators of this scam frequently approach victims by professing to require sensitive information from them in order to complete a key activity.
The attacker usually begins by gaining trust with their victim by impersonating coworkers, police officers, bank and tax officials, or other individuals who have the authority to know what is going on in their workplace. The pretexter poses questions that appear to be intended to verify the victim’s identity, but are actually meant to collect sensitive personal information about the victim.
With the use of this fraud, all kinds of important information and documents can be obtained, including social security numbers, personal addresses and phone numbers, phone logs, vacation dates for employees, bank records, and even security information relating to a physical plant.
Honey trap attacks are when the perpetrator claims to be romantically or sexually interested in the victim and successfully draws them into an online relationship with the perpetrator. The attacker then persuades the victim to divulge confidential information or to pay significant quantities of money to them in exchange for information.
SMS phishing is becoming a far more serious problem as more and more businesses choose texting as their primary mode of communications. SMS phishing is a type of scam in which scammers send text messages to victims that mimic multi-factor authentication requests and route them to malicious web pages that gather their credentials or install malware on their phones.
Social Engineering Recommendations
Criminals that engage in social engineering assaults prey on human psychology and curiosity in order to compromise the information of their targets’ informational security systems. With this human-centric perspective in mind, it is the responsibility of enterprises to assist their people in defending against these types of attacks.
Incorporating the following strategies into security awareness training programs can assist users in avoiding social engineering scams.
- Do not open any emails that come from unknown or suspicious sources. If you receive a strange email communication from a friend or family member, meet with them in person or call them to discuss it.
- Give strangers the benefit of the doubt when they make you an offer. If something appears to be too good to be true, it almost certainly is.
- When you are gone from your workstation, you should always lock your laptop.
- Anti-virus software should be purchased. No antivirus solution can completely safeguard users’ information from every threat that attempts to compromise it, although they can assist in protecting against some of them.
- You should familiarize yourself with your company’s privacy policies in order to understand when you can or should allow a stranger into the building.