source: vpnoverview

The concept of social engineering involves manipulating individuals or organisations through dubious tactics administered in multiple ways by perpetrators. For example, plotters analyse victims' backgrounds and devise ways to trick them into giving out sensitive information that is misused. These attackers aim at sabotaging data and theft, obtaining access, information or money.

Safe communication and network habits are some ways to prevent the phenomenon. Read along to gain a better insight into the concept and how to keep yourself safe from such an attack.

It is a kind of attack that relies primarily on interaction where threat actors conceal their identities and present themselves as trustworthy individuals or sources of information. Their objective is to influence their victims to release access to personal data and other finance-related information.

This kind of attack can happen both online and in-person, including spreading malware and is based on human error predominantly.

An attacker in this context fabricates a pretext that is familiar to their targets. Following are some practices of the same:

• Lure Targets: Preying on cognitive biases to lull targets to a false understanding and a sense of trust and security.
• Earn Trust: The attacker assumes an alter ego which makes the targets trust them inherently.
• Gather Sensitive Data: After gaining the trust of the target, the attacker then coaxes them to divulge sensitive data and information.
• Exploit: The leaked credentials are what the attackers aim to achieve and misuse
• Try to Do More Damage: The process is iterative as the attackers further utilise every information they gain initially from their targets to strengthen the perceptible legitimacy of the attacker’s plea.

What makes social engineering attacks dangerous is that these rely on human errors rather than those made by software or operating systems. Unfortunately, legitimate users make less predictable mistakes and are more challenging to identify and thwart than malware-based intrusions.

1. Baiting

This technique uses physical or web-based media to disperse malware. As the name suggests, victims give in to the bait laid by the attacker, such as malware-infected flash drives in elevators, parking lots, etc. More common ways of attack are advertisements on the web to lure victims in.

2. Phishing

Occurs when one clicks on links embedded in emails and text messages, generating fear and a sense of urgency in the victim. Such clicks give away account-related information to the attacker or may install malware on the device logged in by the user.

• Spear phishing: This is a target-specific form of phishing and is one of the advanced social engineering attacks. An instance of such an attack may include a disguised IT consultant in a company sending an email to one or more employees of the organisation, deceiving them into considering the mail as authentic. Clicks on the links in the email lead them to malicious apps or pages capturing their credentials.
• Vishing: This technique is also known as voice phishing and administers dubious tactics over the phone to lure in the victim to give away sensitive information. This may include personal or financial information such as debit/credit card credentials, OTP, etc.
• Whaling: The attack targets high-profile targets. These may include chief executives or financial officers giving away sensitive information regarding themselves or the enterprise or organisation they are an integral part of.

3. Pretexting

Attackers in this context disguise themselves as co-workers, banks, tax officials, police, etc., who possess the right to know authority. They ask questions which lead to luring their victims to disclose their bank records and security information.

4. Scareware

It is also known as fraudware, rogue scanner software or deception software. This attack involves perplexed victims scared of unknown threats flashing on their devices.

For instance, a pop-up message displays that a device is infected by malware. Then, another pop-up appears, which is the malware disguised as preventive malware software. Clicks to install the software expose the device and the user to real threats.

Listed below are some examples of actual social engineering attacks or frauds:

• The spear phishing scam of $100 Million involving Google and Facebook
• Russian hacking troop targeting Ukraine with spear phishing
• Microsoft 365 phishing scam stealing user credentials
• Phishing scams using HTML tables to evade traditional email security

Some proven ways to protect yourself against these frauds include the following:

• First, always be mindful before you click on links.
• Research the sources of emails
• Strictly avoid downloading files you have no information about
• It is necessary to remember at all times that offers and prizes are always fake
• Delete any request which aims at gathering personal information, including passwords, and report these as spam
• Adjust your spam filters to high
• Regular software updates on devices are necessary

Some other types of social engineering are - watering holes, quid pro quo, diversion theft, honey trap, rogue security software, tailgating, pharming, and dumpster diving. These include multiple web-based or social tactics, luring in information from varied sources.

It is the need of the day to look into these social engineering practices and avoid the same as much as possible, incorporating the tips mentioned above. Being extra cautious in every step of life, especially being wary of posting personal information on social media platforms, limiting it as much as possible needs to be ensured to keep away from scams and attacks discussed so far.