Social Engineering: Attacking the Weakest Link

What is Social Engineering and Why It’s So Effective?

Social engineering is an art of deceiving people to divulge sought-after information in order to commit fraud, identity theft, access secured network, determine trade secrets, sales and marketing plans, customer and supplier information, financial data, or simply to disrupt business operations.

What makes social engineering so effective compared to any hacking methods is that it relies on a human error, rather than finding and exploiting vulnerabilities into the computer systems using technical hacking. This form of hacking typically happens through email, text messages, online chat and phone calls.

With advancements in technology and modern security systems in place, hackers can’t break into systems easily, that’s why they will target the weakest link in the security chain – the user. It will be much easier for them to trick someone to extort confidential information such as passwords, bank information, credit card number, and access to secure building using psychological manipulation tactics.

World’s most notorious hacker Kevin Mitnick helped popularised the term ‘social engineering’ in the 90’s and he even wrote a book called “The Art of Deception” that contains real stories and explanations why each attack was so successful and how it could have been prevented.

Types of Social Engineering Attacks

There are different social engineering techniques used by hackers to manipulate their target such as the following:

There are many social engineering tactics depending on the medium used to implement it. The medium can be email, web, phone, USB drives, or some other thing. So, let’s tell you about different types of social engineering attacks:

There are generally two major types of social engineering attacks: remote and onsite/in-person.

Remote Attacks (Phishing)

Phishing is one of the most popular social engineering tactics used by attackers to get sensitive information from their target. It is usually done via email, text messages and even phone calls.

Email attacks

Attackers will send a well-crafted email with a deceptive subject line to trick the recipient that the email has come from a trusted source. The email also contains seemingly legitimate documents, logos, contact details and a link to a cloned website to fool the victim.  The objective of this attack is to create a sense of urgency, requiring immediate action from the user such as a request for a password change or update their personal information using the link sent by the attacker. Upon completion, the details will be sent to the attacker.

Phone Call Attacks (Vishing)

A social engineer who attacks over the phone often called as “vishing” for voice phishing, usually pretends to be someone, e.g., account holder, business partner, staff or a trusted provider of your organisation. They usually undergo a series of preparation to gather necessary background information before making the call to avoid being suspicious.

Spear Phishing

This social engineering attack has the highest success rate as users are selectively targeted. Perpetrator will send personalised spear phishing emails or will make a phone call on target users based on job title, technical skills, etc. The attacker will pretend to be a colleague within the organisation or an IT consultant and deceives the target to steal personal information.  Spear phishing attacks require months of preparations making them harder to detect and have better success rates compared to the usual phishing scams.

Scareware

Scareware manipulate users through fear and deceives them with annoying false alarm notifications to think their system is infected by a malware, and then it will suggest to buy and download a fake antivirus software to get rid of it. The truth is, the antivirus was actually a potentially dangerous software that once installed can steal your personal information. This social engineering attack can be usually found while browsing the internet, while some are distributed via emails. Rogue security software and crypto miner lock are two of the most popular scareware tactics used by cyber criminals.

In-person/Onsite Attacks

In-person social engineering techniques are less common than remote attacks, yet they’re very effective because businesses usually focus on IT security and completely ignored physical threats.

Shoulder Surfing

Shoulder surfing is a physical social engineering attack that uses direct observation technique to steal information.  The attacker simply stand next to someone and watch closely as they type their login credentials or PIN number at an ATM.

Tailgating

Tailgating is another on site social engineering technique used by attackers seeking entry to restricted areas where biometrics, RFID card, or any electronic access control is present. The attacker waits for the perfect opportunity to walk in behind an authorised person or simply determine when the next schedule of air-con cleaning is due and dressed like one of them to get past the front desk successfully.

Key Loggers

Hardware and network devices often need technical services and hackers often take these chances. They will impersonate a third-party on site tech support and install key logger on shared computer systems to obtain usernames and passwords. This will enable them to have access right and control the workstations remotely.

Baiting

Baiting is the equivalent of a Trojan horse in social engineering. The attacker will leave a malware infected flash drive in a public place, hoping someone to pick it up and plug into their computers.  Distributed USBs are usually labeled as “Confidential” or “Salary info” to entice the victim on using it, giving access rights to the hacker when opened. Online baiting is also used by hackers, where they entice users to receive free goods online in exchange of their personal information.

How to Prevent Social Engineering Attacks

• Educate everyone in your organisation about social engineering techniques by providing adequate trainings and seminars.
• Review company policies and existing processes on handling transactions and important business activities to ensure standard operating procedures are followed.
• Set your email spam filters to high and periodically monitor spam folder to see if important emails are caught accidentally.
• Verify sender’s email address by going directly to their site and be suspicious of any unsolicited emails.
• Increase security of your devices by installing important system updates and keeping your antivirus updated.
• Enable Multi-factor authentication (MFA), Two-factor authentication (2FA) or two-step verification on your online accounts for additional layer of security.
• Always check if you’re accessing the correct website URL. Online banking websites are using extended validation SSL that proves the legal entity of the website.
• Email or text messages with instructions how to claim your prize or money from unknown relative are guaranteed to be a scam.
• Download files only from trusted websites and always scan the files using your updated antivirus. File attachments from unsolicited emails are potentially dangerous.
• Be wary of tempting offers that you will encounter online such as free online giveaways.
• Be aware of your surroundings for possible onsite attacks.

Anyone can be targeted by these social engineering attacks. The size or industry of your business doesn’t matter, as there’s always a risk involve when your information is available in the internet. Save yourself a headache by educating everyone in your organisation on how these attacks are perform and how to prevent it from happening. Need a security audit for your business? Contact us today!