What is Social Engineering: How it Works, Types, and Examples
What is Social Engineering: How it Works, Types, and Examples
People who have watched the film Who Am I must have heard the term social engineering in the film, but unfortunately most of them do not know exactly what this term means. For that, let's find out what social engineering is and how it works, types, and examples.
What is Social Engineering?
Social engineering is a manipulation technique that exploits human error to gain personal information, access, or valuables. Social engineering, in the world of information security, is a type of cyber attack that works to make people better off through trickery and deception rather than technological exploitation.
These attacks take advantage of human vulnerabilities such as emotions, beliefs or habits to convince individuals to take actions such as clicking fake links or visiting malicious websites. Although less sophisticated than other cyber attack strategies, social engineering can have severe consequences and can often become a weapon for major attacks.
How Social Engineering Works
Unlike viruses which depend on hacking techniques or malicious code to deliver payloads, social engineering relies on human psychology. When used properly, it can be leveraged to gain access to data, systems and even other valuable information.
For example, instead of spending months creating a new type of malware, hackers are focusing their attention on tricking employees into divulging their passwords over the phone by posing as IT support technicians. If they talk to the right people and say the right things, they can instantly connect to the network.
Your network security is only as strong as its weakest link. The same goes for your workforce. Hackers usually use a number of different techniques to find the weakest link i.e. techniques that focus on our fears, our likes and dislikes, and our weaknesses.
Types of Social Engineering
Nearly every type of cybersecurity attack involves some form of social engineering. Social engineering can affect you digitally via mobile attacks in addition to desktop devices. However, you can easily be confronted with a direct threat. These attacks can overlap and overlay one another to create deception. Here are some types of social engineering that hackers often use:
* Baiting – Attackers bait an attack when they leave an infected malware device, such as a USB flash drive, in a place where someone will find it. It's relying on our innate curiosity, someone will likely load that device onto their device and they end up bringing malware with them.
* Phishing – Phishing occurs when an attacker initiates a fraudulent communication with a victim that appears to be legitimate and safe. Recipients are then tricked into installing malware on their devices or sharing personal, financial, or business information.
* Pretexting – Pretexting occurs when an attacker creates fake circumstances to force the victim to grant access to sensitive data or protected systems.
* Quid pro quo – A quid pro quo attack occurs when an attacker requests personal information from someone in exchange for something or some type of compensation.
* Spear Phishing – Spear phishing is a type of highly targeted phishing attack that focuses on a specific individual or organization. Spear phishing attacks use personal information specific to the recipient in order to gain trust and appear more legitimate. Often this information is taken from the victim's social media accounts or other online activities.
* Tailgating – Tailgating is a technique of psychological manipulation that occurs when an unauthorized individual follows an authorized individual to a previously secure location. The goal of tailgating is to obtain valuable classified property or information.
Example of Social Engineering
Social engineering occurs because of the instinct of human belief. Cybercriminals have learned that carefully crafted email, voicemail, or text messages can convince people to transfer money, provide confidential information, or download files that have malware installed on them.
Check out this example of Spear Phishing convincing an employee to transfer 100 Million to a foreign investor:
1. Thanks to careful spear phishing research, cybercriminals find out that the CEO of the company is traveling.
2. An email was sent to a company employee that looks like it came from the CEO. There is a slight difference in the email address – but the CEO's name is spelled correctly.
3. In the email, the employee is asked to help the CEO by transferring 100 Million to a new foreign investor. The email uses urgent but friendly language, assuring the employee that he will help the CEO and the company.
4. The email emphasized that the CEO would make this transfer himself but because he was traveling he was unable to make the transfer of funds in time to secure a foreign investment partnership.
5. Without verifying the details, the employee decides to act. He truly believes he is helping the CEO, the company, and his colleagues by fulfilling email requests.
6. A few days later, the employees, CEO, and co-companies of the victims realized that they had been victims of a social engineering attack and had lost 100 Million.
How To Protect From Social Engineering
Ignorance is our greatest weakness as humans and it is very easy to exploit, making the uneducated a prime target for attackers. You must make all employees aware of the risks and aware of social engineering techniques.
Be wary of the information you release
This includes verbal and social media. Sites like Facebook and Twitter are a wealth of information and resources, from pictures to playable interests. A simple Google maps search of your home or work address gives criminals information about your place and its surroundings.
Make sure to protect the right assets
Make sure you protect the right things! When deciding which assets are most valuable to an attacker, make sure not to focus solely on what you or your business think is most valuable. Cyber attackers are interested in anything they can come up with.
Implementing And Following Policies
After identifying which assets are most tempting to attackers, and which they might use to target them, write a security policy and follow it! In a business context, all employees need to play their part. Everyone is a potential entry point into the business and its assets. It only takes one door to open for an attacker to gain access.
Once you've implemented the policy, it's time to test it. Sending malicious emails under test conditions to a group of users or observing how employees access a building can give you a good idea of whether policies are being followed.
Improving how your users access systems and data can help avoid social engineering attacks. Combining passwords with biometrics, for example, is one way multifactor authentication can beat criminals at their own game.
Always Update Software
Attackers using psychological manipulation techniques often find out if you are running unpatched and out-of-date software. Keeping track of patches and updating your software can mitigate most of these risks.
So what is social engineering? Social engineering is a technique aimed at persuading targets to disclose certain information or perform certain actions for illegitimate reasons.
Protection against Social engineering begins with education. For example, if all employees are aware of the threat, company security will increase. Be sure to raise awareness of this risk by sharing what you have learned. Because prevention is always better than cure
So many articles What is Social Engineering: How it Works, Types, and Examples. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you…
Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.