Social engineering is the tactic behind some of the most famous hacker attacks. It uses psychological manipulation to trick users to divulging confidential infomation using phone call or other media. A perpetrator will investigate the intended victim to gather background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing confidential information or granting access to critical resources. Social engineering relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.
Social engineering have some forms, like phishing, pretexting, baiting, scareware, and spear pishing. Phishing is the most common type of social engineering attack. The attacker recreates the website of a well known company and sends the link to targets via emails or social media platforms.
Pretexting based on a scenario. An attacker might impersonate another person or a known figure. The most common example of a pretexting attack is when someone calls an employee and pretends to be someone in power, such as the CEO or on the information technology team. The attacker convinces the victim that the scenario is true and collects information. Another example is fake emails you receive from your distant friends in need of money.
Next, baiting. It similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work.
Fourth is scareware. Scareware persuades people that a computer is infected when it is not. scareware uses social engineering to take advantage of a user’s fear, coaxing them into installing fake anti-virus software. Scareware goals can vary from selling useless, fake tools to the installation of damaging malware that exposes sensitive data. Scareware has been known to convince users to download ransomware, a form of malware that holds the user’s data hostage in exchange for a payout.
Last, spear phishing. Spear pishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
Tiwari,Aditya,2018,What Is Social Engineering? What Are Different Types Of Social EngineeringAttacks?,https://fossbytes.com/what-is-social-engineering-types-techniques/amp/ (accessed 13 January 2020)
Brunau,Chris,2019,5 Types of Social Engineering Attacks,https://www.datto.com/blog/5-types-of-social-engineering-attacks (accessed 13 January 2020)
Forcepoint,2020,What is Scareware?,https://www.forcepoint.com/cyber-edu/scareware (accessed 13 January 2020)
Imperva,2020,Social Engineering,https://www.imperva.com/learn/application-security/social engineering-attack/ (accessed 13 January 2020)
Gatefy,2019,7 real and famous cases of social engineering attacks,https://gatefy.com/posts/7-real-and-famous-cases-social-engineering-attacks/ (accessed 13 January 2020)
Kaspersky,2020,What is Spear Phishing? – Definition,https://usa.kaspersky.com/resource-center/definitions/spear-phishing (accessed 13 January 2020)