James Phang

View Original

What is Social Engineering?

Social engineering is a tactic of manipulating, influencing, or deceiving a victim to gain over their computer systems to steal personal and financial information. Social engineering attacks happen in one more step, the perpetrator first investigates the intended victim to gain the necessary background information such as potential points of entry and weak security protocols. Next, the attack uses a form of pretexting such as impersonation to gain a victim’s trust and provide stimuli to break security practices to reveal sensitive information or grant access to critical resources.

Types of Social Engineering Attacks 

Phishing

Process of attempting to acquire sensation information such as usernames, passwords, and credit card details by pretending to be a trustworthy entity using bulk email, SMS or phone. Phishing messages create a sense of urgency, curiosity, or fear in the recipients of the message to encourage revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.  

Spear Phishing

This is a more targeted version of a phishing scam where an attacker chooses specific individuals or enterprises. The attacker tailor their messages based on characteristics job positions, and contacts belonging to their victims. Spear phishing requires a lot of effort to research its victims and compromise accounts, this often takes weeks and months to pull off. However, they are much harder to detect and have better success rates if done skilfully.

Baiting

Scammers use false promises to lure a victim into a trap which may steal personal and financial information or inflict the system with malware. The trap could be in the form of a malicious attachment with an enticing name.

Tailgating

Also known as “piggybacking”. A physical breach of where an unauthorized person manipulates their way into a restricted or employee-only authorised area through the use of social engineering tactics. For example, impersonating a delivery driver an employee opens a door, and the attacker asks to hold the door thereby gaining access to the building.

Scareware

Scareware involves victims being sent false and fictitious threats. Users are deceived into thinking their system is compromised by malware prompting them to install software that grants remote access to the criminal or pay the criminal in the form of bitcoin.

Social Engineering Prevention

Don’t open email attachments from suspicious sources.

If you know the sender and the message seems suspicious, it is best to contact the person directly.

Multi-Factor Authentication (MFA)

Attackers often seek valuable pieces of information such as user credentials. Using MFA helps to ensure the account’s protection in the event of an account being compromised.

Clean Up Your Social Media

Attackers can use social media accounts to find any kind of information on the person. Information such as birthday celebrations, your children's birthdays, or events can help attackers extract information used to set up accounts.

Install and Update Antivirus and Other Software

Make sure automatic updates are turned on. Periodically check to make sure your system is most up-to-date. Scan your system daily for possible infections or malware.

Back-Up Your Data Regularly

Backing up your data regularly will enable you to have access to essential data if your hard drive becomes corrupted via a social engineering attack.

Be Wary of Tempting Offers

If the offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you are dealing with a legitimate offer or a trap.