Social engineering is a type of manipulation that exploiting human psychology, rather than technological hacking techniques in order gain or unauthorized access of a computer system. In this post, we will focus on social engineering is the art of what three things, its attacking techniques and prevention methodology.
Table of Contents
Social Engineering Is The Art Of What Three Things?
Social engineering attacker take benefit of people’s weakness, faith and influence individuals to visiting a vulnerable website or clicking a malicious link.
Now, social engineering is the art of what three things? So, the things are as follows:
In the context of information security, social engineering is the art of psychological manipulation. And Psychological manipulation is a type of social influence or skillful control by attacker that aims to change the behavior of victims.
It uses various tactics such as psychological abuse, brainwashing and emotional blackmail so they (victims) give up their sensitive information. It is also known as emotional manipulation.
Influencing is another important social engineering art of things which affect to others (victims). Social engineering influences to the victims using various tactics and then, gains the victim’s trust and get unauthorized access of sensitive information and resources.
The last essential social engineering art of things is deceiving, where attacker sending an authentic message to the victims. The message seems to be one of your trusted service providers or from your office, and asking you to send personal information.
The message prompts victims to provide their personal information such as usernames, passwords, credit card information and network credentials.
The attacker also provides a link which redirects victims to a malicious website to captures their sensitive information and login credentials.
Social Engineering Attacks Techniques
In above, we have clearly define the social engineering is the art of what 3 things? Now, we will explain on social engineering attacking techniques.
There are few social engineering attacking tactics, where human interaction is involved. The most common social engineering attacking methods are as follows:
Phishing is a most common social engineering attack where attacker gain or unauthorized access of sensitive and confidential information such as usernames, passwords, credit card information and network credentials.
The most common form of phishing techniques are as follows:
Phishing Technique 1
In this technique, the attackers send an email message to victims which seem to be trusted message, and asking victim to send their personal information.
Phishing Technique 2
In this technique, attackers send an email message to victims with a URL link. The URL is almost legitimate link but when hovering over the links its redirects to a vulnerable website.
The redirection site has a serious vulnerability or malware script to gather personal information which is unknown to victims.
3. Spear Phishing
Spear phishing is another social engineering attack that attempt to unauthorized access and steal sensitive information from a specific victim.
Spear Phishing Technique
In this technique, attacker sends an email or message to victim with victim’s personal data such as name, designation, email, contact number and address.
The reason for include these personal information is to gain victim’s confidence, therefore compromise and access the confidential information they (attacker) are looking for.
4. CEO Fraud
CEO Fraud is a type of email based phishing attack in which the attacker acts as your senior company executive to gain access of sensitive data or steal funds or login credentials.
CEO Fraud Technique
In this attacking technique, the attacker sends an email and uses the name of your company CEO but uses another email address.
The attacker’s domain of email address is very similar to your company’s email domain except few different letters such as cyberthratprtal.com instead of cyberthreatportal.com.
The main target of CEO fraud phishing (attackers) is company’s finance department.
Vishing is a social engineering attack which is combination of ‘voice’ and ‘phishing’. Already we have discussed about phishing attack.
Now, vishing attack is the illegitimate access of data via VoIP (Voice over Internet Protocol). It can be conducted by regular phone calls or voice email and requesting to send victim’s bank account details and also requesting to pay some money.
It is very difficult to trace the vishing attack because it occurs within the very short time.
There are several techniques that vishing attack can happen. One of the common techniques is as follows:
For example, you will get a phone call with the following message:
“Your account has been compromised. Please call this number to reset your password”.
The vishing perpetrator (visher) hopes that you will fear after hearing the above message.
In that case, when you call the number, visher will leave and you hear an automated recording informing that your bank account has been compromised and ask for information such as bank account numbers and other sensitive information.
Pretexting is another social engineering technique where attackers focus on creating an excellent pretext, or a fabricated situation for the purpose of gaining sensitive information from victims’.
Typically, faith or trust is one of the most significant aspects of social engineering. So, a strong pretext is an important element to creating trust.
That’s why; to building a trust on victim’s, pretexters (criminals) can impersonate as survey firm, police officers, bankers, tax authorities, insurance company, and audit firm.
Pretexters use different types of strategy to steal victim’s personal information. For example, a pretexter may call to victim as a police officer, and ask victim’s some questions.
In these attacks, the pretexter usually says they need some personal information to verify their (victim’s) identity.
The personal information can be Social Security numbers (SSN), usernames, passwords or other sensitive information.
If victims provide his/her information, then pretexter will take an action for secondary attacks.
Baiting is other types of social engineering which uses a fake promise of a product to attract victim’s interest. They (attacker) bait users into a trap and then steal victim’s sensitive information or damage their systems with malware.
In that case, the baiter (cyber-criminal) will give up the malware infected flash drive in a eye-catching areas where victims can easily find out them such as bathrooms, elevators, reception desk, and parking place a targeted company.
When the curious users plug it into their system and opened the flash drive then they compromised their system with attacker.
In tailgating attack, an attacker looking for entry to a confined area, where access is controlled by electronic access control (e.g. RFID Card) and the attacker has no proper authentication.
The main focus of this type of social engineering is an attacker to get unauthorized physical access to the restricted area.
The attacker can simply walk in behind an authorized person who has access that area. In that case, an attacker impersonates as a delivery man to deliver the parcels and waits until a legitimate employee opens their door.
When the employee opens the door, the attacker asks that the employee hold the door, to enter the company.
Social Engineering Prevention
Already we have discussed on what is social engineering, social engineering is the art of what three things and its attacking techniques.
Now, we will focus on how to prevent social engineering. So, here are the useful tips to prevent from social engineering.
1. Never Provide Personal Information
Do not share your personal or organization sensitive information such as login credentials, network information, credit card details as over the internet to protect from social engineering.
If you want to secure your personal information from phishing and malware attacks, then you should apply the following useful tips:
First, check the website is trusted or not?
Don’t provide your information on unknown site
Do not share your login credentials to others
Use strong and unique password
Do not use same password for multiple account
2. Delete Suspicious Email And Do Not Click
A suspicious e-mail that may contains a virus or malware to redirect you to a phishing website to hack your sensitive information.
To avoid phishing email, just delete which raises confusion.
Do not click on that type of suspicious email.
If your incoming email is suspicious then you can direct phone call to sender to confirm as he/she sends the mail.
Or, simply deleting the email and you can also mark it as spam.
3. Use Antivirus Software
Antivirus software is a program that helps to protect your computer from virus and malware threats.
It is strongly recommended that download the software and apps from trusted sources to prevent from social engineering attack. So, don’t download the software, apps from unknown site because these sites may contain virus or malware which will infect your computer.