Social engineering is essentially the act of manipulating people into giving access to confidential information or areas, rather than using force or hacking. The information they seek can be anything from passwords to bank details, or even employee records from businesses. The reason these types of attacks are so popular with cyber-criminals now is simply because it’s easier – for example, it takes less time and skills to trick a person into telling you their password than it is to try hacking it. On top of this, security measures such as firewalls can’t protect you if you willingly click on a malicious link, thinking it’s from a trusted source.
Common Social Engineering Tactics:
Phishing scams are likely the most frequently used social engineering tactic out there, typically using emails to obtain personal data such as names, addresses and bank details. The way these attackers obtain this information is by disguising themselves as a known entity.
For example, a phishing attack could be an email, appearing to be sent by Amazon, telling you that an expensive order has been made through your account and to click a link if this purchase wasn’t made by you. Many people wouldn’t give this a second thought once they see a recognisable banner and a somewhat realistic email address, quickly clicking the link in fear of losing all that money, but there are some simple tricks to identify a Phishing email if you read it carefully.
Pretexting is another social engineering technique that uses a fabricated scenario to manipulate the victim, allowing them to steal their private and personal information. A common tactic used in pretexting is asking the target for a few critical pieces of information to ‘confirm their identity’.
This all sounds very similar to phishing, but the key difference is that phishing attacks often use urgency to scare the victim into quickly clicking the malicious link – like the example above – whereas pretexting attacks rely on gaining the person’s trust, often requiring complex backstories and more of a back-and-forth conversation.
What separates Baiting attacks from other social engineering techniques is the promise of an item or good to lure the victim into sharing the information that the scammer desires. This ‘lucky winner’ could be promised free music or movie downloads, for example, but as soon as they download that file their computer would be compromised, or they could be required to give their log in details to a certain site before being allowed to claim their prize.
Baiting attacks aren’t even restricted to online structures; in 2006 Steve Stasiukonis – founder of Secure Network Technologies Inc – ran somewhat of a test on one of their clients, leaving USBs infected with a Trojan virus around the company’s car park. Many of the employees gave in to their curiosity and plugged a USB into their computer, activating a keylogger which gave Steve access to their login details.
- Quid Pro Quo
Quid Pro Quo attacks are very similar to baiting in the sense that they promise a benefit in exchange for information, the difference being that this benefit is usually some kind of service, rather than a good or item like with baiting.
A common technique used by these attackers is to impersonate an IT specialist for a large company and call as many numbers belonging to that company as they can find, offering a quick fix or upgrade to anyone who answers. The scammers then instruct the victim to temporarily disable their anti-virus to install whatever fix or software update they were promised – at this point the attacker is free to install malware and take whatever information they wish.
Tailgating – also known as ‘piggybacking’ – involves the attacker gaining access to a restricted area by simply following an employee who has the authentication required. An example of this tactic could be an attacker impersonating a delivery driver or post man with their hands full of packages; the attacker could then wait for an employee to open the restricted door and simply ask them to hold it.
This type of attack can be hard to execute in buildings with advanced levels of security, such as swipe cards or complex codes on doors, so smaller companies are the typical targets.