Social engineering is a manipulation technique that exploits error to gain private information access or valuables. Unsuspecting users are lured into exposing data, spreading malware infections or giving access to restricted systems. This can happen online, in person or through other interactions.
99% of cyberattacks uses social engineering to trick users into installing malware.
Human is the weakest link in the security chain
Goals of social engineering attackers
- Sabotage: disrupting or corrupting data causing harm on inconvenience.
- Theft: Obtaining valuable information, access or money.
Social engineering steps
- Investigation/preparation: Gathering background information from targets or a larger group they are part of
- Infiltrating/Hook: establishing a relationship/initiating interaction by building trust
- Play/exploit: Once trust and weakness are established to advance attack.
- Exit/disengage: closing interaction without arousing suspicion and having achieved the desired action
Since social engineering uses persuasion and confidence, attackers are misled into:
- Heightened emotion (such as fear, excitement, curiosity) causing them to take irrational or risky actions.
- Urgency where time sensitive opportunities/needs requiring immediate attention.
- Trust where they cause the victims to believe since they have taken time to research on them.
Examples:
- Phishing: mostly through voice, SMS or email phishing all purporting to be from a legitimate source.
- Baiting: abuses victims natural curiosity to expose to an attacker e.g. – USB drives left in public spaces which contains malware. The victim will pick it and plug into corporate environment – Email attachments including details on a free offer.
- Physical Breach Attacks: attackers pose as someone legitimate and gain access to unauthorized areas of information.
- Tailgating/piggybacking: following an authorized staff member into a restricted access area
- Scareware: also known as fraud ware, deception or rogue scanner software. This is a malware that frightens the victim to take an action e.g. Warning of a fake malware infection or your account is compromised.
Fighting Social Engineering
- Safe communication and account management habits. Take care especially on online communications, social media, email and text messages.
- Never click links on emails and messages. verify all URL to ensure they are legit. Type URL instead of clicking
- Use multi-factor authentication especially on online accounts.
- use strong unique passwords and probably a password manager to safely store and remember them.
- be very cautious when building online-only relationships.
- Do not allow strangers to connect to your primary Wi-Fi network and use a VPN
- keep all your software up to date as soon as available.
- Have an internet security software.
- Don’t leave your devices unsecured in public. Lock computers and mobile devices at work.
