Social Engineering
10
Nov

Social Engineering – What Makes You Human?

You are at the office and you come across a lady trying to open the door but she is not able to reach her identity card as she is carrying a laptop in one hand and a couple of books in the other. While desperately trying to reach her pocket to take out the identity card to unlock the door, you rush to help her enter, using your identity card. But what if this was all a planned attempt to enter the office without any check-in? Your courteous gesture has suddenly landed you in trouble. You are now a victim of social engineering!

Social engineering is a common term that you hear when cybersecurity professionals talk about the many ways we are all vulnerable to data theft. The term social engineering usually means the process of taking advantage of the human instinct to help someone in need to serve the purpose of the criminal.

The problem of social engineering has been evolving for many years but today it is the main source in cyber attacks and cyber terrorism. Malware installed via a technical flaw accounts for only 3% of instances whereas social engineered attacks amount to a massive 97%.[1] The hacking pattern is changing from targeting of software or hardware to more focused on human vulnerabilities.

Different Types of Social Engineering Attacks

Phishing

91% of the data breaches come in the form of phishing, making it the most exploited form of social engineering.[2]

Phishing is a type of cybercrime in which emails are sent to the target in order to lure individuals to provide personal information, banking and credit card details, email or social media account passwords, or other confidential information.

Phishing scams often demonstrate the following characteristics:

  • Trying to obtain personal information, passwords, or other bank related details.
  • Sending shortened links that will redirect to the compromised websites which can track your details.
  • Incorporating a sense of urgency, threat, or fear to manipulate the victim to react before thinking.

A perfect example of this type of a social engineered attack is the phishing scam that occurred a month after Tax Day in 2018 when criminals sent misleading emails asking for their tax return details. This was done to obtain access to accounts, steal and sell information to file fraudulent tax returns. [3]

Impersonation

Cybercriminals often look for the weakest link to compromise a system, which is usually the humans. Impersonation requires a lot of effort to understand the target and plan the attack, hence, this is the least common form of social engineering.

Some common roles that an impersonator might take on to implement the attack are an IT executive, a manager, an auditor, or a fellow employee. Usually, impersonation attacks focus on roles with authority because when people receive a request asking to share information from authoritative persons, they will act immediately without verifying the true identity of the sender.

Even though impersonation is not as commonly performed when compared to other social engineering forms of attacks, the attacks have risen by nearly 400% in 2017.[4]

Vishing

Voice phishing, or vishing, is growing rapidly as a form of social engineering. Vishing attacks are where an attacker will call into the target organization and attempt to gain information and credentials over the phone. Another Vishing scam is where the attacker attempts to get the person on the other end of the phone to perform some action on their PC. These actions include running desktop scripts and viewing infected websites. These attacks are difficult to monitor and trace and unfortunately, employees working in HR departments, customer service, sales, and marketing, etc. are highly vulnerable to these attacks.

From 2012 to 2016, a group of cyber criminals ran a massive IRS vishing scam. During these four years, more than 15,000 victims in the United States lost “hundreds of millions” of dollars to this sophisticated scam, and more than 50,000 individuals had their personal information compromised. [5]

Smishing

Smishing is a portmanteau of “SMS phishing” which is similar to phishing but is performed through text messages. Smishing criminals normally send messages to contact numbers that they obtain through various black-hat techniques like web-crawling, data breaches, or random number generators. The messages sent by scammers use different techniques to get you to share the information they are after. They may promise coupons or discounts on desirable products or they may pose as your bank looking to verify your account details. You may also receive texts from suspicious numbers like “5000” or other numbers linked to email-to-text services which could be automated.

As reported by NBC Nightly News, a smishing scam was attempted by asking victims to activate their new credit card by entering private information over the phone. In another smishing scam, users were informed that their online accounts were expiring and that they were required to renew their account by entering their passwords on a fake website.[6]

How are Social Engineering Attacks Planned?

Social engineering is the most dangerous of cyber attacks as they are based on human error and not due to any vulnerabilities in software.

The process of a typical social engineering attack is executed as follows:

Step 1 – Investigation

Before initiating an attack, the attacker investigates the victim, verifying the identity, background information, professional details, etc.to begin planning the attack.

Step 2 – Hook

In the second step, the hacker tries to deceive the victim to earn their trust with the information they learnd in step one.

Step 3 – Play

When the hacker gains the confidence of the victim, he attempts to execute the attack and obtain the targeted information.

Step 4 – Exit

Once the attacker retrieves the information, he will ideally close the interaction and remove all traces of malware (if any was installed) or ends the conversation on a pleasant note, to not raise any alarms.

Combating Social Engineering

Social engineering attacks cannot be stopped but you can limit their chances of success by being vigilant. Here are a few ways to do so:

1. Always Use Multi-factor Authentication

The most valuable pieces of information criminals are trying to capture are the login credentials to your bank account, email, social media, or any other official logins. The attacker will always seek access to such information. In order to minimize the possibilities of your accounts being hacked, multi-factor authentication (MFA) can be linked to your email, online bank account, social media accounts, etc.

By enabling MFA, you restrict access even when your password is compromised. MFA normally tests your authenticity by sending an access permission to your linked mobile number or email address. The idea is that in order to access your account, you must rely on something you know (like a password) and something you have (like a mobile phone).

2. Follow Your Instincts

Stick to the rule that if you don’t know the sender, don’t respond to the email or text. Even if the name seems familiar but you still feel suspicious about it, first confirm that the email sender is authentic. Don’t click on links sent from unknown senders. The email or message may appear like it is from a courier service, your colleague, or your boss, etc. but there is usually something not quite right about an email or text sent in a social engineering account, so if you notice something off, don’t ignore it.

3. Do Not Fall for the Phish-Bait

It is common to come across messages and emails that say “Congratulations! You have won a prize. Click here to claim it!”. If it’s too good to be true, then it most likely is. No one is going to give you an iPad for free, especially for winning a contest you did not enter. The answer is always no. If you do sign up for a legitimate raffle or contest, be sure to read the fine print to see how they will contact you. Until you confirm the authenticity of the sender, do not click the links shared in the offer message.

4. Keep Your Antivirus Software Updated

Antivirus is a protective shield which should be updated regularly. New antivirus versions are often released after testing them against new malware. Hence, your outdated antivirus may not actually stand a chance against new malware. One of the purposes of social engineering is to get malware installed on your system. For example, when you visit a malicious site in a phishing email, the site will exploit a flaw in your browser to download and install malware.  Anti-virus can help limit the damage of a successful phishing attack by detecting the malware and preventing its installation and execution.

Social Engineering in Organizations

Social engineering attacks are not limited to individuals but are conducted on a larger scale with criminals targeting organizations through human error. Cybercriminals love organizations that use social media, which is just about every organization these days. Criminals can use social media to gather information about the organization and their employees to spoof your customers.

In fact, research conducted by Social-engineering.org showed that: [7]

  • 90% of the people working in organizations fall victim to social engineering practices and share their full name and email addresses with criminals without confirming the real identity of the sender.
  • 67% of employees share social security numbers and other personal details, like date of birth or employee numbers, when they see an email from their colleagues, friends, or boss.

Organizations are trying to find appropriate solutions in order to deal with the increasing threats of the social engineering attacks. As these threats involve human involvement and human error, the focus must beg on the training and education of staff as well as hiring cybersecurity professionals to work on assuring the safety of companies’ brands and data.

At EC-Council, our Certified Secure Computer User (C|SCU) program was developed to train individuals to become secure computer users and to think about cyber security at all times. Computer security training is one of the crucial requirements for every organization to combat threats to information security. To learn more about our C|SCU program, visit: https://www.eccouncil.org/programs/certified-secure-computer-user-cscu/


Sources:

  1. https://www.dogana-project.eu/index.php/social-engineering-blog/11-social-engineering/94-estimates-of-social-engineering-attacks
  2. https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
  3. https://blog.barkly.com/phishing-attacks-campaigns-2018
  4. https://betanews.com/2017/06/07/impersonation-attacks-rise-400-percent/
  5. https://www.nytimes.com/2018/07/23/business/irs-phone-scams-jeff-sessions.html
  6. https://www.comparitech.com/blog/information-security/smishing/
  7. https://www.social-engineer.org/social-engineering/social-engineering-infographic/
  8. https://www.computerweekly.com/news/4500273577/Social-engineering-confirmed-as-top-information-security-threat
write-for-ec-council
Write for Us