How Does Social Engineering work?



Social engineering occurs when an attacker deceives and or manipulates a user into providing confidential and personally identifiable information (PII) the for fraudulent purposes. 

There are various ways that social engineer can occur. The following list the various types of forms of social engineering. 

Phishing is achieved by sending fraudulent emails purporting to be from a reputable company in order to induce individuals to provide credit card numbers, usernames, password, SSN and any other PII. 

Spear phishing is act of sending emails from a known sender for the purpose of inducing users to reveal confidential information and PII. An example of this is when, Attackers personalize an email and impersonate specific senders and use other techniques to bypass traditional email defenses. The purpose is to fool users into clicking a link or opening an attachment. The attachments usually contain malware that affects the user’s device and obtains financial and or other personal information in order to commit fraud. 

Some common form of social engineering are :
  • Whaling can be a form of phishing emails and highly customized websites that often contain the user’s name, job title or other relevant information obtained from a variety of sources that target corporate executives, or politicians, or celebrities. 
  • Vishing practice is the practice of making phone calls or leaving voice mails pretending to be from reputable sources or companies in order to persuade users to reveal PII. 
  • Tailgating  is also known as piggy-backing, takes place when an individual closely follows another person, who has gained authorized entry to a restricted area, in order pass a certain checkpoint.  
  • Impersonation  is a tactic used by an attacker, who is pretending to be someone the user is are likely to trust or comply with and divulge confidential or PII. A great example is when an attacker contacts an employee of a company requesting the mac ID of that employees device by impersonating someone in IT department. 
  • Pretexting  occurs when an attacker phishes for bits of PII from the user to confirm their identity. Attacker will typically pose as some sort of agency or company and say they need to confirm the identity of user to prevent fraud, when in fact they intend to use this very information to perpetrate fraud against the user. 
  • Dumpster diving occurs when an attacker goes through discarded items to retrieve information.  For example, attackers can use paper documents and or Hard drives to gain access to computer networks and or users PII. 
  • Shoulder surfing is a type of social engineering where an attacker uses visual spying techniques to obtain a users PII. 
  • Hoax  is a form of social engineering employed by an attacker to scare and or deceive users/recipients in order to get users to send and or forward the information to their contacts. The email or message typically looks like it is from a reputable source and is usually Direct the user to do undertake certain acts. 
  • Watering hole attack  occurs when which the attacker compromises a specific group of end users by infecting websites that users would likely visit. For example,  attackers used the us DOL website to gather information on users' information by  targeted users who visiting pages with nuclear-related content.

There are several principles or reasons by social engineer is effective.  Those reasons are as follows:

  • Authority - people tend to respect and listen to people who have authority. 
  • Intimidation is a form of social engineering through bullying tactics, and it is sometimes combined the attacker with impersonating someone else. 
  • Consensus - occurs when attackers create a false or fake reviews and or websites to promote a product or service that contains hidden viruses or Trojans. For example, the attacker may make fake testimonials for a product and service, the user will read this information and download the software. 
  • Scarcity - attacker threatens a user with a short supply of something a user wants it needs. 
  • Familiarity - attackers make themselves familiar with users in order to get users trust and eventually gain access to systems. 
  • Trust - attacker exploiting user’s nature to trust. Attackers take advantage of users' naivety or lack of security awareness to provide access to an attacker, who would normally be unable to access to the system.
  • Urgency - attacker exploiting users’ inclination or empathy to correct a problem or situation. 

The common element in social engineering is an attacker preying on users human nature, trust or an fabricated exigent scenario. The best way to avoid being a victim of social engineering is to use common sense and avoid providing personal information if you are unsure of the source or authenticity of the call or email message.

Comments

Post a Comment

all comments to this blog are moderated

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Image
Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o
Read more

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

  By Victorianne Musonza #privacy-by-design #digitaladvertising #dataprivacy #CCPA #GDPR In the ever-evolving world of digital advertising, user consent, and data privacy should be an afterthought but rather something that is built into the design. As companies strive to engage consumers effectively, it is important to address these issues and implement robust mitigation strategies, all while embracing the concept of privacy by design. User consent is a major focus for data privacy in digital advertising. Consumers must have clear, transparent information about how their data is collected, used, and shared. By obtaining explicit consent, companies can establish trust and ensure that users are aware of the purpose and extent of data processing. This consent should be easily accessible, providing users with options to manage their preferences and exercise control over their personal information. However, obtaining mere consent is not enough; organizations must prioritize data privacy mit
Read more

Cross Border Transfer Mechanism: Model Clauses

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered and tailored.
Read more