Social engineering involves deceiving people into providing private information through manipulation. Common social engineering attacks include phishing scams by email or phone that try to steal login credentials. Other methods are shoulder surfing to see passwords, dumpster diving to find sensitive trash, and tailgating to access restricted areas. Social engineering works because people are inclined to trust authority, follow social proof, reciprocate kindness, and make decisions based on scarcity and distractions. Protecting against social engineering requires vigilance, secure disposal of documents, awareness of manipulation tactics, and escalating any suspicious requests for information.
2. Social engineering is the process of deceiving
people into giving confidential, private and or
privileged information to unauthorized people.
Apart from breaching confidentiality, social
engineering compromises data integrity and
its availability.
3. What are the common types of
SOCIAL ENGINEERING attacks?
4. D E C E P T I V E P H I S H I N G
Fraudsters impersonate a legitimate company in
an attempt to steal people’s personal data or
login credentials. Those emails frequently use
threats and a sense of urgency to scare users
into doing what the attackers want.
S P E A R P H I S H I N G
Fraudsters customize their attack emails with
the target’s name, position, company, work
phone number and other information in an
attempt to trick the recipient into believing that
they have a connection with the sender. The
goal is the same as deceptive phishing, even so:
trick the victim into clicking on a malicious URL
or email attachment so that they will hand over
their personal data.
S H O U L D E R S U R F I N G
The practice of spying on the user of an ATM,
computer, or other electronic device in order
to obtain their personal access information.
D U M P S T E R D I V I N G
This is the process of searching trash to obtain useful information about a
person/business. Dumpster divers will be looking for the following:
• Email address/address
• Phone numbers to carry out Vishing
• Passwords and other social security numbers that might have been
written on sticky notes for convenience
• Bank statements/financial statements
• Medical records
• Important documents
• Account login credentials
• Business secrets and marketing secrets
• Information of the employees
• Information about the software, tools, or technologies that is being
used at the company
V I S H I N G
This type of phishing attack dispenses with sending out an email and
instead goes for placing a phone call.
THE DI FFERENT FORMS OF PHI SHING
5. W A T E R H O L I N G
Watering hole attacks are used to distribute malware onto
victims’ computers in a similar way phishing activities are
conducted. Cybercriminals infect popular websites with
malware, and anyone who has had the misfortune to visit have
their computers automatically loaded with malware.
The malware used in these attacks usually collects the target’s
personal information and sends it back to the hacker’s server.
In extreme cases, the hacker will actively take control of the
infected computer.
C E O F R A U D
In these scams, fraudsters try to harpoon an
executive and steal their login details.
P H A R M I N G
This method of phishing uses a cache poisoning
attack which allows attackers to redirect users from a
valid website to a malicious website. Under this kind
of attack, a pharmer targets a DNS server and
changes the IP address associated with an
alphabetical website name. That means an attacker
can redirect users to a malicious website of their
choice. That’s the case even if the victim enters the
correct site name.
R E V E R S E S O C I A L E N G I N E E R I N G
In a reverse social engineering attack, the attacker does not
initiate contact with the victim. Rather, the victim is tricked
into contacting the attacker herself. As a result, a high degree
of trust is established between the victim and the attacker as
the victim is the entity that established the relationship.
7. Ta i l g a t i n g involves an attacker
seeking entry to a restricted area that lacks
the proper authentication.
Example: An attacker who does not have an
ID or badge can simply walk in behind a
person who is authorized to access the area.
B a i t i n g occurs when attackers use a
false promise to pique a victim’s greed or
curiosity. They lure users into a trap that steals
their personal information or inflicts their
systems with malware.
Example: Malware-infected flash drives that
look authentic, labelled as the company's
payroll list
A d v a n c e d P e r s i s t e n t
T h r e a t is an advanced persistent threat
is an attack in which an unauthorized user
gains access to a system or network and
remains there for an extended period of
time without being detected.
The goal of APT is to spy, obtain financial
gain, perpetrate hacktivism, and to destruct.
8. Why and how is social engineering effective?
People value authority, social proof, similarities,
and reciprocity. Also, social engineers are skilled
in using scarcity and deception to malign
others.
9. SOCIAL ENGINEERING
is effective because of:
Authority
Society trains people not to question authority and majority
of the public has the tendency to follow blindly.
Social Poof
People let their guard and suspicion down when everyone
else appears to share the same behaviors and risks. In this
way, they will not be held solely responsible for their actions.
Liking, Similarity & Deception
People prefer to abide to whom (they think) they know or
like, or to whom they are similar to or familiar with, as well
as attracted to.
Jam Rivera
10. Commitment, Reciprocation & Consistency
People feel more confident in their decision once they
commit (publicly) to a specific action. They have the
tendency to want to follow it through until the end. The
majority is also inclined to believe what others say, especially
when it comes to needing something from them. When
people are given kindness to, there is also a natural response
to want to return the favor.
Distraction
People tend to focus their attention on what they can gain,
what they need, what they can lose. what they might miss
out on. These distractions can heighten people’s emotional
state and make them forget other logical facts to consider
when making decisions.
Scarcity
Perceived scarcity will generate demand.
Jam Rivera
12. Social engineers
usually go through a
4-STEP ATTACK CYCLE:
Information gathering
In this step, the attacker
gathers as much data about
the target victim. Social
media is a frequent source of
information.
Engaging with victim
After gathering enough information,
the attacker will begin to start
conversations with the target.
The goal of this step is to
gain trust to obtain
any missing data
required to
fulfill the goal.
Jam Rivera
13. Closing the interaction
During this step, the attacker will spend more
time masquerading the attack and the proceeds
of it. Less to nil time will be spent engaging with
the victim. If the attacker leaves the
communication open, the only purpose is for
the attack to reoccur. Sometimes the entire
social engineering cycle has been completed
without the victim knowing.
Attacking
By the time the attacker has enough data through research
and conversations with the target, the
attack will commence.
14. How do you protect your data against
social engineering attacks?
15. BEST PRACTICES AGAINST
SOCIAL ENGINEERING
Phishing
Recognize the refusal to give contact information,
rushing, namedropping, intimidation, small mistakes
(misspellings, misnomers, odd questions), and
requesting forbidden information. “Look for things that
don’t quite add up.” Escalate any suspicions around
phishing.
Common ways to detect phishing emails:
• A mismatched URL
• URLs with a misleading domain name
• Poor spellings and grammatical error
• Asking for sensitive information
• Too good to be true message
• Surprise lottery!
• Asking to send money to cover for
medical expenses
• Unrealistic threats
• From a government agency
Jam Rivera
16. Shoulder Surfing
• Angle your computer or cell phone screen so that
other people cannot see what you are typing
• Use a privacy screen to make your screen less
visible to others
• If possible, sit or stand with your back to a wall
when entering a password on a device in public
• Stand in a quiet spot away from a crowd of
people
• Try to avoid opening personal accounts in public
• Shield forms from viewing when filling out
paperwork in public
• Use strong passwords to make it more difficult
for someone to try and guess what
you typed
• As always, remember to lock your
computer or device when you leave
your desk
Jam Rivera
17. Dumpster Diving
o Limit social sharing
o Safely dispose and put away any documents
containing the following information:
• Pre-approved credit card offers
• Street address
• Social Security number
• Telephone number
• Email address
• Bank account information
• Employment history
• Other personal information
Jam Rivera
18. Waterholing
• Remove or disable
software vulnerable to
watering hole attacks.
• Have a malware-
protection system
Baiting
Only rely on flash drives
you know and trust.
Jam Rivera
19. Tailgating
• Lock your system and other devices
while leaving the work station
• Do not let unknown people enter
restricted premises of office unless
they have appropriate credentials or
authority of access
• Never help strangers access a secured
location when they ask to open the
door or are from delivery services
• Always keep your access identity card
with you while you are on the
premises; keep it secure from being
misused by unauthorized employees
Jam Rivera
20. Here’s some of the most prominent
social engineering attacks recently:
21. Sony Pictures
On Monday, November 24, 2014, many of Sony
Picture’s employees began to see skulls appearing
on their computer screens with software rendering
their machines inoperable. This social engineering
attack lead to the leaking of unreleased films to
social media with theaters opting not to screen
these movies anymore. The effect of this hacking
also revealed that many female actors were paid less
than their male counterparts. In addition, personal
information about employees were leaked, including
information about their families, inter-office e-mails,
salary, and more.
22. Toyota
Toyota Boshoku Corporation, an auto
parts supplier, was the victim of a social
engineering and BEC (Business Email
Compromise) attack in 2019.
The money lost amounts to USD 37
million due to fraudulent bank
transfer instructions that
someone in the company
took as legitimate.
Attackers successfully
persuaded a finance
executive to change the
recipient's bank account
information before a
wire transfer.
23. What impact does social engineering have
towards:
a. The public
b. The businesses
c. The government
d. The economies
25. People are more likely to respond to the effects
of a cyberattack rather than the attack itself. One
example of this is a cyber-attack where malware
infects a national power station causing the
hundreds of thousands of citizens to be without
power.
The general public can be affected socially and
psychologically by the incident.
The social impact of a cyber-attack refers to
aspects such as the social disruption
caused to people’s daily lives,
and widespread issues such as
anxiety or loss of confidence
in cyber or technology.
Psychological impact can be informed
by social impact, and can include
more personal aspects such as an
individual’s anxiety, worry, anger,
outrage, depression and so on.
Jam Rivera
28. The cybercrime industry generated at least $1.5
trillion in revenue in 2018, which massively affects
economies all over the world.
The U.S. President’s proposed FY 2020 budget
requests more than $17 billion for cybersecurity and
cyber operations
On May 28, 2020––in a single day, there were
49,127,689 cyber attacks worldwide which equates to
568 cyber attacks occurring every second!
Social media contributes to the sale of stolen
personal data in an underground economy that’s
now worth about $630 million per year.
In average, 300,000 cybercrime-related complaints
are received each year by the FBI -that’s an average
of more than 800 complaints per day.
Jam Rivera
29. Being affected by social engineering is costly
and inconvenient. Knowing how to protect
information and how to escalate concerns go a
long way.
Jam Rivera
Photos are from pixabay.com and unsplash.com. Icons from flaticons.com.
Principles of Persuasion in Social Engineering
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)
Principles of Persuasion in Social Engineering
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)
Photos are from pixabay.com and unsplash.com. Icons from flaticons.com.
Icons made by <a href="https://www.flaticon.com/authors/freepik" title="Freepik">Freepik</a> from <a href="https://www.flaticon.com/" title="Flaticon"> www.flaticon.com</a>
Icons made by <a href="https://www.flaticon.com/authors/itim2101" title="itim2101">itim2101</a> from <a href="https://www.flaticon.com/" title="Flaticon"> www.flaticon.com</a>
Icons made by <a href="https://www.flaticon.com/authors/freepik" title="Freepik">Freepik</a> from <a href="https://www.flaticon.com/" title="Flaticon"> www.flaticon.com</a>
Icons made by <a href="https://www.flaticon.com/authors/freepik" title="Freepik">Freepik</a> from <a href="https://www.flaticon.com/" title="Flaticon"> www.flaticon.com</a>
Icons made by <a href="https://www.flaticon.com/authors/freepik" title="Freepik">Freepik</a> from <a href="https://www.flaticon.com/" title="Flaticon"> www.flaticon.com</a>