Welcome to CyberHygiene, my weekly newsletter, where I share tips and actionable data to help everyone stay safe online.
Social engineering is a technique used to manipulate and deceive people. Malicious actors exploit human psychology to gain private information, access or valuables.
Social engineering attacks usually involve a series of highly-calculated steps where con artists invest weeks or months into nurturing a slow-building relationship with their victims.
The attacks are not always related to cybersecurity. Social engineers can reach out and trick you without ever having to speak a word. Social engineering attacks work just as well in person, over the phone, on social media or via email.
1. What are the most common types of social engineering attacks?
Attackers focus on creating a good pretext or a fabricated scenario “that they can use to steal their victims’ personal information.” These attacks commonly take the form of a scammer pretending to need certain information from their target in order to confirm their identity.
Baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.
It is the act of looking over someone’s shoulder, writing down or memorizing logins or passwords.
Watering hole attacks infect popular web pages with malware to impact many users at a time. It requires careful planning on the attacker’s part to find weaknesses in specific sites. They look for existing vulnerabilities that are not known and patched — such weaknesses are deemed zero-day exploits.
An unauthorized person takes advantage of an authorized person to gain access to restricted areas. These areas have physical or electronic authentications required to gain access.
Attackers collect information from discarded materials such as old computer equipment (e.g., hard drives, thumb drives, DVDs, CDs) and company documents that were not disposed of securely.
2. How does social engineering attack work?
Information gathering : the attacker collects information from public sources such as google and social media.
Establishing trust: the attacker contacts and tries to connect with the targeted user on a personal level.
Exploitation: the attacker gets money, access to a system, steals files, or obtains trade secrets.
Execution: the attacker performs the final goal and exits the scam.
3. How to spot social engineering attacks?
Most social engineering attacks employ one or more of the following tactics
Posing as a trusted brand
Posing as a government agency or authority figure
Inducing fear or a sense of urgency
Appealing to greed
4. How to prevent social engineering attacks?
1) Security awareness
Don’t share valuable information: Personally identifiable information (PII) with a third party. It’s important to know what data is considered PII.
Be suspicious of requests for data: Any request for data should be received with caution. Ask questions and verify the sender’s identity before complying with the request.
2) Access control policies
Use multi-factor authentication and unique credentials for all your online accounts.
Be wary of downloading free apps, files, programs, software or screensavers – malicious code, like spyware (that secretly monitors what you do online) and keystroke loggers (that secretly track what you are typing) can be hidden within the downloaded file or app and used to access personal information, such as login credentials.
3) Cybersecurity technologies
Spam filters and secure email gateways can prevent some phishing attacks from reaching employees in the first place.
Firewalls and antivirus software can mitigate the extent of any damage done by attackers who gain access to the network.
Keeping operating systems updated with the latest patches can also close some vulnerabilities attackers exploit through social engineering.
5. What do you do if you think you are a victim?
If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised.
Watch for any suspicious charges to your account. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
Watch for other signs of identity theft.
Consider reporting the attack to the police, and file a report with the Federal Trade Commission and the Federal Bureau of Investigation (FBI) IC3.
6. What resources are available to better understand Social Engineering?
1) Books
Thinking, Fast and Slow by Daniel Kahneman
Influence: The Psychology of Persuasion, Revised Edition by Robert Cialdini
No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing by Johnny Long & Kevin Mitnick
Cybercrime through Social Engineering: The New Global Crisis by Christopher S. Kayser
Social Engineering: The Science of Human Hacking by Christopher Hadnagy
2) Courses
3) Documents
Definitive Guide to Social Engineering Attacks, Tools, and Prevention by Cyberx
Social engineering: A cheat sheet for business professionals by TechRepublic
4) Podcasts
5) TV Show
6) Videos