The What, Why and How of Social Engineering Attacks and How You Can Keep Safe?
Social Engineering Attacks
The purpose of most cyberattacks is to access confidential information that can either be sold on the dark web, ransomed or be leveraged to cause largescale disruptions. A large percentage of such attacks have a social engineering component.
Social engineering can be defined as manipulating unsuspecting (or many a times, even suspicious individuals) to divulge confidential or sensitive information, or take an action that can be exploited by hackers.
The nature of information shared by victims can vary, but it can include PII, financial information and anything else that criminals can use to access your computer, bank accounts, and more; think passwords and all kinds of information that defines who you are and your personal and financial identities.
Social engineering is in vogue because it is a pure psychological play. Criminals exploit the natural human tendency to trust and exploit human emotions such as anxiety, fear, discord, frustration and more. Such attack techniques are popular because it is far easier to tap into such natural inclinations rather than creating complex codes to hack into a software by exploiting a vulnerability. Also, if criminals get lucky, the payout is much quicker in social engineering attacks.
Think about it for a second. What’s better – a person being fooled into willingly sharing a password or a hacker trying to unearth a password using a collection of hacking techniques?
No prizes for guessing it is the former rather than the latter.
How to Spot a Social Engineering Attack?
There are different kinds of social engineering attacks, but most of them have a common running theme, and that is they create a sense of urgency and curiosity around the messaging; and they are typically from someone you know.
The Friend’s Email
This is a fairly common type of attack. A cybercriminal hacks into a friend’s email by accessing his/her password. Hacking into your friend’s email gives the criminal access to the friends contact list, which includes you. This is when the game begins in earnest. And remember, this friend doesn’t know that his/her email account has been hacked.
The criminal then proceeds to create an email and sends it to all contacts. If the criminal has access to your friend’s social networking contacts, then messages are sent to them as well. But it does not end here. There is a very good chance that the friends of this person’s friends receive a mail or message as well.
The criminal is playing with the law of averages here. Not everyone is going to fall victim to the social engineering attack, meaning not everyone will take the requisite action on the email. The criminal is improving the odds by sending emails and messages to the widest possible audience.
So, what are these messages all about?
Why are these messages such a big problem? How do people become a victim of the emails they receive, so much so that they divulge extremely sensitive information? The one-word answer to these questions is Trust. Think of a scenario wherein you are receiving a phishing email purportedly from your friend. Your first instinct is to not ignore it because it is from a person you trust – your friend. You will then go through it and take action. It is this action that will determine whether you fall prey to a social engineering attack.
The contents of the email:
- A link: The email will set the tone for you to click on a link. The messaging will try to pique your curiosity around where that link will take you to. Like we said earlier, there can be a sense of urgency and maybe a sense of mystery to the messaging that will make you want to click on this link. And if you do, a malware will be dropped onto your machine, infecting, and just like that, the cybercriminal now has access to your machine, and you are now a victim of a cybercrime. And you might not be even aware of the fact that this has happened.
- Download/s: You might think nothing of an attachment that is a part of the email, because it is from your friend. This could be a word, excel, PDF file, an image, video, a music file or something else. If you download this file, you will be actually downloading malware, which will infect your machine.
You have been deceived, just like your friend was deceived and it is now the turn of your email account to be used for sending emails just like these to your contacts (that is, if your email account has been compromised). The attack keeps spreading its wings. There might not be an end to it.
Email from a Trusted Acquaintance or Source
It is important to note that a massive 85% of data breaches have some human element. This means you, and I and everybody else is susceptible to phishing attacks; and typically, it is a human who takes a wrong action, resulting in a data breach. While this happens because of a lack of awareness about the nature of social engineering attacks, it also happens because such attacks are becoming more sophisticated.
A cursory examination of an email or message won’t tell you whether it is a phishing email or message. It is imperative that we are on our toes all the time and are naturally suspicious what we see in our inbox chats, or SMS’, especially those that want us to click on a link or share personal information.
This brings us to the second aspect of a social engineering attack wherein you are not receiving an email from a friend, but a person or organization that you trust implicitly. In this case, the criminal uses email spoofing (a technique in which an email is forged in such a way that it seems it is coming from a trusted source), or this criminal has hacked into the email account of someone who works at a particular organization that is a trusted name in its domain. Typically, it is financial companies that are impersonated, and the reason is not hard to find. If an email is from your bank, you will definitely open it, and give it a read. After all, we are always worried about our finances and it is this worry that more often than not is exploited by criminals.
A Compelling Message is the Focal Point of Social Engineering
This is the oldest trick in the book and tries to exploit our finer feelings. Your ‘friend’ is in the hospital and needs money urgently otherwise he won’t be treated. This mail might be sent by a hospital or the friend. You are asked to send money to particular account (details mentioned in the email). As you might have guessed by now, that the mail was from neither your friend, nor the hospital, but from a criminal.
The Hassled Colleague
You get an email from a colleague who wants some urgent business information from you and the said colleague is under tremendous pressure to complete a particular task. Your information will help complete this task. Yes, you are asked to share information that you shouldn’t be sharing.
From the Boss
Imagine receiving an email from your boss, asking you for an update or proprietary information. Or the message might ask you to approve a transaction for your boss, something that will be difficult to refuse. Chances of people falling for this email are quite high!
Email from a Trusted Organization
You get an email, text message or an IM from a company that you know keeps sending emails and messages to you. You don’t give such messages a second thought before opening them. The message wants you to urgently share personal information and basically verify your credentials by clicking on a link (that takes you to a fake website); and it says that not doing so might just lock you out of your account and you will be penalized; basically non-compliance will result in serious and unpleasant consequences.
An Attack of ‘Kindness’
An email that will play on your more charitable instincts. You will be asked to donate to a good cause or a charitable institution and there are all chances that you will fall for it.
Winner Winner Phisher Dinner
YOU have won a prize or a relative has left a lot of money for you or something along the same lines. All you need to do is send your bank details, physical address and some more PII and the money is yours. Don’t fall for it.
A Drill Down into Social Engineering Tactics
There are plenty of social engineering tactics employed by criminals but the scheming is focused on the following:
- The Bait
Criminals dangle something in front of the intended victim. If this person takes the bait, the results are catastrophic. This bait can take the form of some free stuff such as discount coupons, a hot new movie, the latest music, free eBooks, free credentials for dating apps, the hottest games available for free and more along the same lines.
P2P sites are a hotbed of such social engineering schemes. Now, you might think that a little bit of research and trying to know more about the said deal and the people or entities behind it will give you a better idea of whether it’s the real McCoy or a part of a phishing attack. The problem here is that criminals take great pains to set up these baiting scenarios, backed by good reviews and a whole lot of fake reputation building.
This means the chances of intended victims taking the bait are high. Doing so, results in malicious software entering your system. If you make your way to phony malicious sites and share your financial information like credit card info and more, you will soon find money missing from your accounts and purchases made with your credit cards.
Always remember – if a deal looks too good to be true, it probably isn’t true.
- The Answer to a “Question”
Very often, you might have come across mails and messages that answer some query that you do not remember asking. Well, that’s because you never did. And this message will ostensibly push you to ask for more information around a product or service that you already might be using. This might just allay your suspicions and convince you to take the conversation further.
There is also a very good chance that you might have some questions that actually need answering. Remember, criminals always do their research and can identify some common issues users have with a popular software, and thus create the necessary answers. Now imagine if you receive an answer for a “query” and the message says, that subsequent support will be offered free and all you need to do is authenticate your identity. You do that, without realizing the “fix” is actually a social engineering tactic.
Result – you share sensitive information with a criminal and open gateway into your computer or into you bank account or worse.
- Destroying Trust
Phishers use distrust like an art form. They know the buttons that must be pressed to create mistrust and conflict amongst individuals, a scenario ripe for launching a social engineering attack. A criminal can access your social network and start sending messages that put you in an embarrassing situation. This will typically be done in staged manner, wherein the nature of messages will get from bad to worse from the public embarrassment perspective. Criminals will ask for money to give you control of the account or to just make these messages stop.
Conflict creation by criminals takes many forms and there is no limit to their creativity. Exploits will take multiple hues and while you might not realize it, until it’s too late, but criminals might be socially engineering you to take steps that will be detrimental to your data.
While most social engineering techniques are largely deployed online, tailgating is an offline engineering scheme that you must guard against. Here’s a situation. You use your authentication to enter your office premises, but unbeknownst to you, an attacker follows you inside into a restricted area. This is a more physical form of social engineering, and once inside the premises, the attacker can, in a worst-case scenario, access systems that might have been left unattended. This attack can even disrupt business processes and cause physical harm.
Don’t Fall for a Social Engineering Attack
If all that you have read has scared and made your very apprehensive of the next mail or message you receive, good. It is important to understand the seriousness of the situation and be wary of social engineering attacks. Remember, all it requires is one click to become a victim.
So how do you protect yourself?
- Take a breath: Yes, the phishing message will convey a sense of urgency, but this doesn’t mean you should act without thinking. Read that message, asking you to share important personal information, or make certain payments. Read it again. Validate and validate again. Only then make a decision.
- Research is the key: Not all emails are a phishing attempt. So, make sure you do your own bit of research when you receive an email from a trusted entity, asking you take certain steps. One of the easy ways of doing so is calling their number and confirming whether they have sent you an email. Don’t trust the phone numbers mentioned in the emails. Get them from the web or from company documents that you might have received.
- Strong passwords: We have talked about hackers gaining control of email accounts and using them in social engineering attacks. One of the reasons they are able to do so is because of weak passwords. So, make sure you use strong passwords that are difficult to break. This will prevent email or social account hijacking. This is an important step in not becoming a victim.
- Say no to clicking on links: A danger sign should flash in front of your eyes when you see a link in an email or message. Yes, you can see the actual URL, if you hover over the URL, but this doesn’t keep you safe. Your “friendly neighborhood hacker” is an ace at spoofing links, and therefore, just don’t click on such links.
- Don’t download: Be extremely wary of what you are downloading and the download source. Ideally, you should only download from trusted sites and stay away from sites that you know nothing about. Also, unless and until you are absolutely sure, do not download files from emails or messages.
- Beware of the word ‘Free!’: Nothing is free. You pay a price for it and when it comes to social engineering, the price for trying to get something for free is massive. So don’t believe those emails that say ‘Click on this link to get a free gift/coupon/software/movie etc.
- No, you haven’t won anything: When you receive an email saying a Nigerian prince has left a huge estate worth millions of dollars for you, laugh, and delete that email. If you receive a message saying you have won a lottery (which you have no clue about because you did not buy a lottery ticket in your life), laugh some more and delete that message.
What More Can You Do to Keep Yourself Safe?
Apart from maintaining the strictest cyber hygiene what is also necessary is that you keep updating all your software with the necessary patches. This ensures that hackers won’t be able to exploit vulnerabilities. Something else you must do, and which we have also mentioned previously is ensure you create strong passwords. Also, deploying an antivirus to protect your Macs and PCs is one of the better ways of protecting your system and data from cyberthreats. With Sophos Home, you will get the benefit of award-winning security features that protects fortune 500 companies. It will scan and clean your computer, getting rid of even the most well-hidden malware. It will block viruses, ransomware and all other forms of advanced malware and keep all sensitive information safe and prevent it from falling into the wrong hands. Moreover, it facilitates a safe and secure online experience.