Peter Buttler* says social engineering allows online attackers to exploit human weaknesses to gain access to our personal information.
Photo: Bryson Hammer
Technology has changed the meaning of how we interpret security and privacy.
We’ve made tools that can prevent major vulnerabilities, but what we forget is, the biggest enemy to security is still a human being or, as I must state, the mistakes we commit.
Social engineering exploits those mistakes to get access to your personal information.
What is social engineering?
Social engineering is the skill of gaining access to sensitive and secure credentials by manipulating human involvement and interaction.
Perpetrators manipulate human psychology to lure victims into committing mistakes and break their secure routine, which exposes their secretive information to the attacker.
To launch a social engineering attack on an individual or an organisation, the attacker goes through a series of steps.
The steps may vary, but the process of gathering information on the soon-to-be victim remains the same.
After the relevant information is gathered, he/she then proceeds to the second phase, gaining the victim’s trust, which eventually allows the victim to be manipulated.
The whole process of social engineering revolves around the mistakes committed by humans, which makes it extremely dangerous for data security.
The perpetrators tend to exploit weaknesses in a person’s personality, which gives them a false sense of security, with the attacker gaining the information they want.
Techniques of social engineering
Social engineering is currently the method most used by criminals trying to infiltrate an organisation.
Cybercriminals can snoop around with its secure data and leave without a digital footprint of any sort.
It can be initiated anywhere there is a chance of human error or human involvement.
The main techniques of social engineering can be boiled down to four major types.
Baiting
Baiting attacks the use attributes of an individual’s personality against them.
It lures them into a trap where everything seems blissful, but they end up losing their credentials or infect their systems with deadly malware.
There are two forms of baiting: physical and online.
In physical baiting, the perpetrator uses a malware infected flash drive and leaves it someplace where it is visible to the victim.
The perpetrator makes the device visibly familiar to what the victim owns.
Once the victim plugs it into an office computer or home computer the malware automatically installs and disrupts the computer system.
Online baiting requires the user to download malicious software through a website.
Different methods can be utilised to bait you into downloading the file — through an email, a fake website or a series of ads, redirecting to the malicious website.
Pretexting
Pretexting is another technique used by attackers, which forces the attacker to craft a really good yet believable strategy to get the information.
The scam is usually initiated with the perpetrator impersonating the high-profile officer of an organisation pretending to need your information to perform a critical task.
However, they may also impersonate a friend, family member or acquaintance to get what they require.
The attacker often impersonates high-ranking officials, like police officers, tax officials, and other people who have the authority to ask confidential questions.
To sound more believable, the attacker often asks the victim information to confirm their identity.
All sorts of important and sensitive information is gathered through these types of attacks, including social security numbers, personal addresses, phone numbers and bank account credentials.
Phishing
Phishing is one of the most famous social engineering attack types.
The attacker targets the victim through different mediums — emails or a fake website with similar URLs can be used to complete the attack.
Phishing scams are mostly initiated by impersonating an organisation that is well-known to or used by the victim.
Victims are encouraged to open links to download malicious software or to reveal sensitive information.
Let’s say you receive an email on behalf of an organisation that you visit often or with which you are familiar, so you do not focus on what the email address looks like and just proceed to open it without any precautions.
You find out that the privacy policy has been changed and it requires you to change your password by visiting the link embedded in the email.
You do exactly what the email asks.
Congratulations, you just played yourself.
The attackers have thought of everything possible to deceive you, that’s why they succeed at manipulating people to do what they want.
Scareware
Scareware is a type of application that, when installed, makes the victim think their system is under attack or affected by malware.
It then asks the individual to download specific software to remove the malware.
But this software does not contain any solution, but is, rather, made to disrupt more operations of your computer system.
A common example of scareware would be those popup websites that display threats on your browser screen like: “Your computer is infected, please download the software below to remove it.”
Alternatively, it will lead you to an infected website, which will automatically start downloading malware on your computer system.
Scareware is also spread through spam emails, which display fake threats and encourage people to buy useless services.
Ways to prevent such attacks
There are many different ways that you can use to prevent yourself falling into a social engineering trap.
Emails seeking your personal credentials and information are rarely legitimate; if you get one, investigate before rushing to write a reply.
If it isn’t from a known organisation, delete it immediately.
Increase the strength of your spam filters.
Each and every email service provider lets you set up spam filters according to your preferences.
Some come with spam filters already on the highest settings.
Securing all your operational devices is also a must.
There is an anti-virus program for every platform that a device uses, whether it be Android, Windows, Mac or Linux.
Installing one can keep you safe from unwanted malware.
Keeping your operating system updated is also recommended.
Almost every OS releases updates once in a while to patch security vulnerabilities.
You do not want to miss on such crucial updates.
Most importantly, malware error notifications or the stop error known as the Blue Screen of Death, or even popups telling you to contact a helpline, are fake.
Remember, if your computer is infected with malware, your whole desktop will be disrupted, not just the browser screen.
Tech giants will never contact you to try to fix your problem individually, due to the fact it’s very expensive and will take a lot of time.
Instead, they release security updates to patch the vulnerabilities.
* Peter Buttler is an information security journalist and tech reporter.
This article first appeared at thenextweb.com.
