Dear Valued Member,
Your account has been blocked due to the number of invalid login attempts. To regain access please reply with your account number and your date of birth for verification purposes.
We apologize for any inconvenience this may cause as we work to enhance your personal experience.
Above is a social engineering tactic.
What is Social Engineering?
Social Engineering is the art of psychological manipulation to trick users into divulging confidential information or taking a compromising action. The ideology behind social engineering is to take advantage of the victim’s natural tendencies and emotional reactions. Once the data is obtained, it is used to gain access to systems and carry out actions that include stealing the victim’s identity and valuables.
How does Social Engineering Work?
Social engineering is popular and highly efficient. Attacks can occur in person, over the phone and Internet, and via email. The attacks of social engineers rely on communication between the victims and themselves.
According to Kaspersky.com, Social engineer’s attack cycles give way for successful deception. This cycle includes:
- Preparing by gathering background information on the victim or a larger group.
- Infiltrate by establishing a relationship or initiating interactions by building trust
- Exploit the victim once trust and weakness are established.
- Disengage once the user has taken the desired action
The process can take place from a single email or over months in social media chats. Social engineers can masquerade as legitimate employees to gain access to sensitive information.
illustration of the Social Engineering Life Cycle (n.d) https://www.imperva.com/learn/wp-content/uploads/sites/13/2019/01/social-engineering.png
Social Engineering Principles
Many principles enable social engineering. These include but are not limited to:
- Authority – Convincing the victim that they are interacting with a person in authority, so they are less likely to question the requests made. Examples of positions of authority can be HR, Law Enforcement, or Technical Support.
- Intimidation – While authority can be a source of intimidation, it can also come in the form of threatening or guilt-tripping, which makes the victim believe that they have no choice but to do what is demanded.
- Consensus or Social Proof – Asking for information and utilize cunning information such as “they obtained it last week from a colleague and an update is needed” to evade red flags. The victim does not want to be as odd or acting differently and supplies information.
- Scarcity – Convincing the victim that a limited supply of a service or goods is available.
Example: While the CEO is in an important meeting, a caller informs the secretary that their domain name needs to be renewed in the next 30 minutes for $USD50 or the company will lose it. Without the domain name, the company website and email addresses will not operate. Because the secretary cannot disturb the CEO, the purchase for the domain name renewal is made.
- Urgency – Convince the victim that time is of the essence. If the victim does not do something immediately, the consequences will be dire. This principle can work alongside scarcity as they have to act quickly and don’t think things through.
- Familiarity / Liking – Social Engineers make themselves familiar to their victims and interact with them frequently, so trust is established. Once familiar with them, mental guards will most likely be lowered, and infiltration can occur.
- Trust – Once trust is gained with the victim, it is easy to exploit them.
Types of Social Engineering Attacks
- Phishing – Attackers pretend to be a trusted individual or institution to persuade the victim to expose sensitive information.
- Tailgating – The attacker receives entry to a restricted area by walking behind someone with authorized access to the area.
- Watering Hole – Injecting malicious code into public web pages of a site the victims’ visit. Once the victim visits the compromised website, a backdoor trojan is installed on the victim’s PC.
- Pretexting – The use of an interesting scenario to capture someone’s attention to have them provide something of value.
- Scareware – The victim being bombarded with false alarms and threats. Example: A user is made to think their system is infected with malware and is prompted to install software that may be malware itself or has no benefit.
- Shoulder Surfing – Attacker watches someone over their shoulder to gain information to exploit, such as passwords or credit card numbers.
How to Protect against Social Engineering
- Don’t open emails and attachments from suspicious sources – If you don’t know the sender, there is no need to interact with the email. Never click on links in any email or message. If there is a need, investigate, and find the official URL.
- Use multifactor authentication – Using another method in addition to your password to verify your identity adds an extra layer of security.
- Be wary of tempting offers – If an offer sounds too good to be true, that might be the case. Investigating the topic before engaging can help in the discerning process.
- Keep antivirus/antimalware software updated – Having your software updated makes it harder for vulnerabilities to be exploited. Ensure automatic updates are selected.
- Do not share confidential information such as place of birth – Do not share confidential information such as place of birth, names of pets, and your parent’s last names. Disclosing that information gives way for your security questions to be easily bypassed.
- Set spam filters to high – Go in your email settings and set the spam filter to high.
References
- https://resources.infosecinstitute.com/common-social-engineering-attacks/#gref
- https://www.pandasecurity.com/mediacenter/security/social-engineering/
- https://www.kaspersky.com/resource-center/definitions/what-is-social-engineering
- https://www.imperva.com/learn/application-security/social-engineering-attack/
- CompTIA Security+ Certification Guide by Ian Neil
Contributed by Racquel Bailey from Jamaica. Racquel is a member of WISC (Women in InfoSec Caribbean), a Discord group for Caribbean women and girls to develop a career in Information Security.
Learn more about WISC and how at wisc.g5cybersecurity.com.