The protection of confidential data in the digital world depends on smart technologies that make it possible to use Internet access without any concern. However, there has been a steady increase in the number of successful cyberattacks.
It has been proven that 90% of all security incidents are human error-related. In most cases, cybercriminals use social engineering to obtain sensitive information from unsuspecting users.
Definition of social engineering
Social engineering is a term used for a wide range of malicious activities that are carried out through human deception. The success of social engineering methods depends on the ability of attackers to manipulate human feelings: fear, curiosity, sympathy, vanity, greed.
The attack takes place gradually. The offender first studies the alleged victim, collects the necessary reference data. Then he proceeds to gain trust, forcing the victim to unconsciously violate security rules: to disclose confidential information, to provide access to computer networks or data warehouses.
What makes social engineering particularly dangerous is that it exploits human error rather than software vulnerabilities. Errors made by users themselves are much less predictable than threats from malicious software.
Social engineering techniques
Social engineering-attacks take many forms and can be carried out wherever human interaction is involved. Below are the seven most common techniques.
Baiting (bait, “road apple”). The method is based on the Trojan horse principle. Fraudsters throw the device infected with malware into a visible place (USB flash drive, CD). The attack is designed for the fact that the person who found the device will download it to his computer and not knowingly install the software, which will lead to the theft of personal data or cause damage to the computer system.
Scareware (false antivirus). The technique consists in deceiving users about the false infection of their computer systems. This deception encourages victims to install software that has no real benefit (except for the offender) or is itself viral.
A common example of scareware is the legal appearance of pop-up banners containing text about spyware infection. At the same time as the warning messages, it is proposed to install a false antivirus that already contains malware or is directed to a malicious site.
In addition to the use of banners, Scareware can also be distributed through spam, which issues false alerts or offers users to buy useless/malicious services.
Phishing is about spreading fraudulent messages that cause a person’s sense of urgency, curiosity and fear. Such messages are disguised as legitimate, received from a trusted source. In the event of a phishing attack, recipients deceive themselves by installing malware or exchanging personal, financial or business information.
E-mail is the most popular means of communication for phishing. Chat, social networking applications, phone calls, and fake websites can also be used. Some of the worst phishing attacks create charitable appeals in the wake of natural disasters or tragedies, counting on people’s goodwill and encouraging them to help by entering personal or payment information.
Pretexting consists of the receipt of confidential information by cybercriminals through insidious lies. Deception is prepared in advance and usually begins with the establishment of trust with the victim. At the same time, the fraudsters can pretend to be police officers, bank and tax officials, colleagues at work.
Pretexting collects information such as social security numbers, personal addresses, phone numbers and bank details.
Quid pro quo (quid pro quo) occurs when cybercriminals ask a person for personal information in exchange for something they want or some kind of compensation. Very often, this type of attack is spread through emails that require credentials for inheritance, gifts and prizes.
Sometimes scammers pretend to be IT support specialists. They convince a person that there are problems on their computer, and these problems can only be solved by installing the latest software. Fraudsters force the victim to provide full access to their device, which allows them to install malicious software on it or steal secret lanes from it.
Spear phishing (target phishing) is a targeted attack, targeted at a specific person or organization. The success of targeted phishing depends on how well a scammer learns personal information about his victim in order to gain his trust.
The most common sources of such information are social media channels. Here you can find almost any information about the future victim: e-mail address, favorite brands, hobbies, friends, etc. Once the research has been completed, the offender, as a good acquaintance, can send the victim an e-mail with a realistic excuse and try to obtain confidential information.
Vishing (voice phishing) is a criminal practice of using social engineering over the telephone to gain access to a person’s personal information for financial reward.
Phishing by phone uses a fraudulent interactive voice response (IVR) system to recreate a legitimate bank or other institution’s IVR message.
The victim receives a request to call the “bank” by the number (most often free) provided to “verify” the information. A typical “vishing” system will constantly reject entrances to the system, offering the victim to enter PIN codes or passwords several times to reveal several different passwords.