How Does Social Engineering work?



Social engineering occurs when an attacker deceives and or manipulates a user into providing confidential and personally identifiable information (PII) the for fraudulent purposes. 

There are various ways that social engineer can occur. The following list the various types of forms of social engineering. 

Phishing is achieved by sending fraudulent emails purporting to be from a reputable company in order to induce individuals to provide credit card numbers, usernames, password, SSN and any other PII. 

Spear phishing is act of sending emails from a known sender for the purpose of inducing users to reveal confidential information and PII. An example of this is when, Attackers personalize an email and impersonate specific senders and use other techniques to bypass traditional email defenses. The purpose is to fool users into clicking a link or opening an attachment. The attachments usually contain malware that affects the user’s device and obtains financial and or other personal information in order to commit fraud. 

Some common form of social engineering are :
  • Whaling can be a form of phishing emails and highly customized websites that often contain the user’s name, job title or other relevant information obtained from a variety of sources that target corporate executives, or politicians, or celebrities. 
  • Vishing practice is the practice of making phone calls or leaving voice mails pretending to be from reputable sources or companies in order to persuade users to reveal PII. 
  • Tailgating  is also known as piggy-backing, takes place when an individual closely follows another person, who has gained authorized entry to a restricted area, in order pass a certain checkpoint.  
  • Impersonation  is a tactic used by an attacker, who is pretending to be someone the user is are likely to trust or comply with and divulge confidential or PII. A great example is when an attacker contacts an employee of a company requesting the mac ID of that employees device by impersonating someone in IT department. 
  • Pretexting  occurs when an attacker phishes for bits of PII from the user to confirm their identity. Attacker will typically pose as some sort of agency or company and say they need to confirm the identity of user to prevent fraud, when in fact they intend to use this very information to perpetrate fraud against the user. 
  • Dumpster diving occurs when an attacker goes through discarded items to retrieve information.  For example, attackers can use paper documents and or Hard drives to gain access to computer networks and or users PII. 
  • Shoulder surfing is a type of social engineering where an attacker uses visual spying techniques to obtain a users PII. 
  • Hoax  is a form of social engineering employed by an attacker to scare and or deceive users/recipients in order to get users to send and or forward the information to their contacts. The email or message typically looks like it is from a reputable source and is usually Direct the user to do undertake certain acts. 
  • Watering hole attack  occurs when which the attacker compromises a specific group of end users by infecting websites that users would likely visit. For example,  attackers used the us DOL website to gather information on users' information by  targeted users who visiting pages with nuclear-related content.

There are several principles or reasons by social engineer is effective.  Those reasons are as follows:

  • Authority - people tend to respect and listen to people who have authority. 
  • Intimidation is a form of social engineering through bullying tactics, and it is sometimes combined the attacker with impersonating someone else. 
  • Consensus - occurs when attackers create a false or fake reviews and or websites to promote a product or service that contains hidden viruses or Trojans. For example, the attacker may make fake testimonials for a product and service, the user will read this information and download the software. 
  • Scarcity - attacker threatens a user with a short supply of something a user wants it needs. 
  • Familiarity - attackers make themselves familiar with users in order to get users trust and eventually gain access to systems. 
  • Trust - attacker exploiting user’s nature to trust. Attackers take advantage of users' naivety or lack of security awareness to provide access to an attacker, who would normally be unable to access to the system.
  • Urgency - attacker exploiting users’ inclination or empathy to correct a problem or situation. 

The common element in social engineering is an attacker preying on users human nature, trust or an fabricated exigent scenario. The best way to avoid being a victim of social engineering is to use common sense and avoid providing personal information if you are unsure of the source or authenticity of the call or email message.

Comments

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

Cross Border Transfer Mechanism: Model Clauses