Technology has changed the meaning of how we interpret security and privacy in this digital millennium. Weve made tools that can prevent major vulnerabilities, with years of research, and debugging, to finally prevent disruptions in our workflow from occurring.
What we forget is, the biggest enemy to security is still a human being or as I must state, the mistakes that we commit.
Social engineering exploits those mistakes to get access to your personal information and the worst part is that the attackers, take the information with your consent.
Social engineering is the skill of gaining access to sensitive and secure credentials by manipulating through human involvement and interaction.
Perpetrators manipulate human psychology to lure victims into committing mistakes and break their secure routine which as a result, exposes their secretive information to the attacker.
In order to launch a social engineering attack on an individual or an organization, the attacker goes through a series of steps before harming the victim. The steps may vary from one suspect to another, but the process of gathering information on the soon-to-be victim remains the same.
After the relevant information is gathered, he/she then proceeds to the second phase, gaining victims trust which eventually allows the victim to be manipulated. Lastly, the treasure in the form of the data or whatever perpetrator manipulated the victim for.
The whole process of social engineering revolves around the aspect of mistakes committed by humans, which makes it extremely dangerous for data security.
The perpetrators tend to exploit weaknesses in a persons personality which makes them have a false sense of security with the attacker giving them the green light to get the information they want.
Social engineering is currently the most used method by criminals trying to infiltrate an organization. The cyber criminals can snoop around with its secure data and leave without a digital footprint of any sort. It can be initiated anywhere, where there is a chance of human error or human involvement.
The main techniques of social engineering can be boiled down to four major types.
As the name suggests, baiting attacks use attributes of an individuals personality against them. It lures them into a trap where everything seems blissful but you end up losing your credentials or inflict your systems with deadly malware.
Believe me, when I say, its easier for anybody to fall for a trap like this. In 2016, many enterprises were added to the list of social engineering attack victims.
There are two forms of baiting, one that is physical and the other online. In the physical one, the perpetrator uses a malware infected flash drive and leaves it someplace where it is visible to the victims eye.
The perpetrator makes the device visibly familiar to what the victim owns. Once the victim plugs it into an office computer or home computer the malware auto installs and disrupts the computer system.
The online aspect of it requires the user to download malicious software through a website. Different methods can be utilized to bait you into downloading the file. It can happen through an email, a fake website or through a series of ads, redirecting to the malicious website.
Pretexting is another technique used by attackers, this attack forces the attacker to craft a really good yet believable strategy to get the information. The scam is initiated with the perpetrator impersonating a high profile officer of an organization pretending to need your information to perform a critical task.
However, its not always the case, they can even impersonate your friend, family member or acquaintances to get what they require.
The attacker often impersonates high ranking officials, like police officers, tax officials, and other important people that have the authority to ask incredibly confidential questions. In order to sound more believable, the attacker often asks the victim information to confirm their identity so that he can move forward with the plan accordingly.
All sort of important and sensitive information is gathered through this attack which can include social security numbers, personal addresses, phone numbers even bank account credentials if needed.
Phishing is one of the most famous social security engineering attack types. The attacker targets the victim through different mediums, emails, a fake website with similar URLs can be used to complete the attack. Phishing scams are mostly initiated by impersonating a well-known or familiar organization used by the victim. It then encourages victims to open malicious links to download malicious software or to reveal sensitive information.
Lets say you receive an email on behalf of an organization that you visit often or you are familiar with so you do not focus on what the email address looks like and you just proceed to open it without any precautions.
The attackers have thought of everything possible to deceive you, thats why they succeed at manipulating people to do what they want.
Scareware is a type of application, that when installed, makes the end user experience fake malware and threats. The victim is lured into an illusion that their system is under attack or affected by malware. Furthermore, it asks the individual to download a specific software which is supposedly removes the malware.
The software that it asks to download does not contain any solution for your problem, its only made to disrupt more operations of your computer system.
A common example of scareware would be those popup websites that display threats on your browser screen like Your computer is infected, please download this software below to remove it. If not then it will lead you to an infected website instead which will automatically start downloading malware on your computer system.
Scareware is also spread through spam emails which does the same thing, display fake threats and encourage people to buy useless services.
Ways to prevent such attacks
There are many different ways that you can use to prevent yourself from being a victim to social engineering. You can surely, prevent yourself from falling for these traps but having a strong mind presence will surely help you identify such threats.
- Emails regarding your personal credentials and information are never really legitimate, if you get one, make sure to investigate before rushing to write a reply. If it isnt from a known organization, delete it immediately
- Increase the strength of your spam filters. Each and every email service provider lets you setup spam filters according to your preference. Some come with spam filters already on the highest settings. If not you can just configure one to stop receiving all this trash in your mailbox
- Securing all your operational devices is always a plus. There is an anti-virus program for every platform that a device uses whether it be, Android, Windows, Mac or Linux. Installing one can keep you safe from unwanted malware
- Keeping your operating system updated is recommended. Almost every OS releases updates once in a while to patch security vulnerabilities. You do not want to miss on such crucial updates
Most importantly, the malware errors or BSOD or even popups that tell you to contact their helpline are straight up lies. Remember, if your computer is infected with malware, your whole desktop would be disrupted not just the browser screen.
Tech giants will never ever contact you to try and fix your problem individually, due to the fact its very expensive and will take a lot of time. Instead, they release security updates to patch the vulnerabilities.