Social Engineering by definition

It is a set of tactics used to manipulate, influence, or deceive a victim into divulging sensitive information or performing ill-advised actions to steal personal or financial information. When cyber-threat actors target your organisation, they research not only your business but your employees as well. They know that employees outside of IT security aren’t as aware of cyber threats, so they execute cyber attacks that exploit human vulnerabilities. Through the process of social engineering, threat actors manipulate people into giving the access to sensitive information. Below mentioned are the common methods used for Social Engineering.

1. Phishing 
2. Baiting 
3. Quid pro quo 
4. Tail gating/Piggybacking
5. Water-Holing 
6. Shoulder Surfing 
7. Identity Theft 
8. Pretexting 
9. Honeytrap(romance scams)
10. Scareware

1. Phishing 

“Phishing” is the most common type of cyber attack that affects organisations. It is a computer scam that uses SPAM, SPIM(spam over internet messaging) & pop-up messages to trick users into disclosing private information (Social Security Number, Credit Cards, banking data, passwords, etc. Phishing can be done in many ways and to target different audiences. some of the common examples of phishing are:

a) Phone phishing (Voice phishing or Vishing): Voice phishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. It is sometimes referred to as ‘vishing’.

b) Email phishing: It involves gaining unauthorised access to information via email solicitation. To check for phishing please observe for the unknown return address, spelling/grammar/punctuation errors, solicitation of non-public/personal information, “urgency”, too-good-to-be-true offer, etc.

• Appears to be a legitimate
• Embedded in links emails & pop-up message
• Phishing emails often contain spyware designed to give remote control to our computer or track
• our online activities and get our login info via fake websites
• Suspicious attachment
• Unusual request
• Short and Sweet
• Sense of urgency and may be asking to skip the procedure
• Request for Credentials, Payment Information or Other Personal Details

c) SMS phishing (Smishing): SMS phishing or ‘smishing’ is another form of criminal activity using social engineering techniques, in this technique SMS is used as method to do phishing.

d) Spear phishing: It is a targeted attack where an attacker creates a fake narrative or impersonates a trusted person, in order to steal information or credentials, that they can use to infiltrate your network.

e) Impersonation attacks: Impersonation attacks are emails that attempt to impersonate a trusted individual or a company in an attempt to gain access to corporate finances or data. Business email compromise (BECs) also known as CEO fraud is a popular example of an impersonation attack.

f) CEO fraud: CEO Fraud is a type of spear-phishing email attack in which the attacker impersonates your CEO. Typically, the attacker aims to trick you into transferring money to a bank account owned by the attacker, to send confidential HR / financial information, or to reveal other sensitive information. A fake email usually describes a very urgent situation to minimise scrutiny and skepticism. The most common way in which a CEO fraud email is done is by name spoofing, in which the attacker uses the name of your CEO but a different email address.

g) Pharming: Pharming is a type of social engineering cyberattack in which criminals redirect internet users trying to reach a specific website to a different, fake site. These “spoofed” sites aim to capture a victim’s personally identifiable information (PII) and log-in credentials, such as passwords, social security numbers, account numbers, and so on

h) Whaling: Whaling attack is a targeted attempt to steal sensitive information from a company such as financial information or personal details about employees, typically for malicious reasons. A whaling attack specifically targets senior management that holds power in companies, such as the CEO, CFO, or other executives who have complete access to sensitive data.

i) Content-less emails: Content-less emails as a means of delivering malicious URLs are not new, they are effective because

Can bypass email security filters because the lack of content does not give the filters a lot to work with.

Play on the recipient’s curiosity to click on the link that leads to a malicious web page or file.

j) Non-clickable URL’s: Non-clickable URLs are activated when the user copies and pastes them into their browser. They are very effective at bypassing many email security filters because they are not live links.

k) Malicious attacks: Attackers are using popular file sharing services such as Dropbox, Google Drive and OneDrive to host malicious and phishing files.

2. Baiting

When threat actors leave a malware-infected device, such as a USB or CD, in a place where it can be easily found by someone, who would then use the infected device on their computer and accidentally install the malware, giving the threat actors access into the target’s system

3. Quid pro quo

When a threat actor requests personal information in exchange for some form of reward, i.e. money, free gift or a free service, in simple words it means ‘something for something’ 

4. Tailgating/Piggybacking

A method used to gain access to a building or other protected area. A tailgater waits for an authorised user to open and pass through a secure entry and then follows right behind. 

5. Water-holing

This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Or, you’ll be taken to a fake version of the site that is designed to steal your credentials. 

6. Shoulder surfing

It is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping. 

7. Identity theft

Identity theft is the crime of obtaining the personal or financial information of another person to use their identity to commit fraud, such as making unauthorized transactions or purchases. Identity theft is committed in many different ways and its victims are typically left with damage to their credit, finances, and reputation. 

8. Pretexting

When a threat actor impersonates as an authority figure or someone that the target would easily trust in order to get their personal information 

9. Honeytraps

A particular kind of romance fraud known as a “honeytrap” involves con artists fabricating social media and dating profiles using alluring photographs that they have stolen. Following their identification of a target, they would promptly inform their victims that they are in love with them by sending flirtatious and provocative texts. However, in order to get presents, money, or bitcoin, the victims must demonstrate that they share their sentiments. 

10. Scareware

Scareware, sometimes referred to as fraudware, deception software, or rogue scanner software, tricks victims into thinking they are in immediate danger. For instance, you can get a notification stating that a virus has infiltrated your device.

How to Avoid Social Engineering Attacks

• Educate yourself – Do not open any emails from untrusted sources.
• Be aware of the information you’re releasing into social media
• Always use two-factor authentication
• Get creative with security questions that help with password recovery by not using easy questions that can be harvested from social media
• Watch for questions that don’t fit the pretext
• Use different logins for each service and secure your passwords with password managers
• Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that it originated from an external source.
• Always use antivirus/anti-malware solutions, 
• Monitor the dark web for exposed data, site like haveibeenpwned are useful in finding if your email is compromised 

I hope you found this blog post informative and engaging. I’d love to hear your thoughts on this post. Let’s connect and start a conversation on LinkedIn — OffloadSecurity