Social engineering is a general term used for every malicious activities accomplished through human interactions. This method compromises the user psychologically leading to make security mistakes and giving away personal information.
Criminals use social engineering tactics because it is usually easier to exploit users natural inclination to trust than it is to discover ways to hack the software.
Social engineering works by an accomplished attack plan. First an acter investigates the targeted victim and gathers necessary information such as potential points of entry and work security protocols needed to proceed with the attack.
The attacker then gains the trust of the user such that he allows to relieve his sensitive information. The hacker creates an urge for subsequent actions and thereby breaking the security.
Social engineering is also defined as “an act that influences a person to take an action that may or may not be their best interests”
All social engineering techniques are based on specific attributes of human decision making known as cognitive biases. These biases, sometimes called, “bugs in the human hardware” are exploited in various combinations to create attack techniques.
Social engineering relies heavily on the six principles of influence established by Robert Cialdini. His theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, authority, liking and scarcity.
Most common types of social exploitation include
As the name suggests baiting technique uses false information to provoke a victim’s greed or curiosity. The attackers set the users into a trap that steals personal information or infects their system with malware.
This technic sometimes uses a physical media to spread the malware.
For instance, attackers leave malware infected flash drives in places where the targets are likely to visit (elevators, parking lot etc.). Once the curiosity/greed inside the user finds its way, he will be under the tarp of malware.
Digital form of bait sometimes consists of online forms of enticing ads that leads to malicious sites or encourages users to download malware infected applications.
Here the target is given false alarms that their system is compromised by a malware, prompting them to install software that contains the real threat.
Scareware is also referred to as deception software, rogue scanner software and fraudware.
A suitable example of scareware is the pop up ads such as, “your computer may be infected with harmful spyware program”, while we are browsing a website. Clicking this ad will either direct you to install a tool (malware infected) or to a malicious site where your system gets compromised.
Scareware also spreads through emails in the form of warnings, offers or services.
This techniques works on the platform made of lies. Here the attacker initiates the process by pretending to need sensitive information from the victim so as to perform critical task.
The attacker usually starts by establishing a bond with the victim by impersonating co-workers, police, bank and tax officials or other persons who have the right-to-know authority.
Every sensitive data including social security numbers, personal addresses, phone numbers etc. are collected for the scam.
Phishing is the most popular type of social engineering attacks. They use scam emails or texts to create a sense of urgency, curiosity or fear in victims. It then makes them to reveal sensitive information by clicking malicious links or attachments send to them through mail.
- Spear phishing
This is the most targeted version of phishing scams where the attacker chooses specific individual or enterprises. They then tailor their messages based on characteristics, job position and contacts.
Spear phishing takes much more effort and may take weeks and months to pull off.
They are much harder to detect and have better success rates if done skilfully.
Interception of social engineering hacks
- Don’t open mails and attachments from suspicious sources.
- Use multifactor authentication
- Be aware of tempting offers
- Keep your anti-virus/anti-malware always updated
- Think before you click
- Research the sources
- Reject requests for help or offers of help
- Set your spam filters to high
- Always be mindful of risks