Social engineering in Cyber Security. How to protect yourself? OnlineSim

The Dangers of Social Engineering and How to Avoid Falling Victim: Part 1

According to a report by LookingGlass Cyber and ISACA, social engineering was one of the top types of cyberhacks on people and organizations in 2022. 

Moreover, IBM reports that the damage from data breaches amounts to wooshing $4.1 million. How can individuals and organizations protect themselves? While a good antivirus can save you from malicious action, it can’t keep you from social engineering.

In this article, we'll teach you everything you need to know about the common techniques used by social engineers and how to avoid falling victim. 

What is social engineering?

Social engineering is what it sounds like: instead of relying on purely technical tools, scammers go "social" and use psychological manipulation to influence you into giving up confidential information that will compromise your security. 

Common social engineering tactics are phishing (and its variations), baiting, pretexting, and using scareware:

Phishing

Social engineers may pretend to be legitimate institutions or businesses to ‘fish out” the information that they want. Phishing attacks happen via mail or email. The attackers often exploit the victim’s fears to urge them to perform a needed action without thinking twice. 

This is an example of a phishing email: 

The attackers pose as the bank representatives and request that users update their login information. The email looks a lot like a real one and seems to be sent from the official email address. Since the restriction of a bank account seems serious, many users will open the email and do what is said without questioning it. The email contains an attachment opening which will probably enable the social engineer to infect the computer. 

Phishing emails often request the user to fill in their information manually but not necessarily. Such emails may contain links that trigger the virus to install. This is often used for cryptojacking, an engineering attack that allows hackers to mine cryptocurrency using your computer’s computational power. Sometimes the emails may also contain attachments that will infect the computer upon a click and will give the attacker access to private files.

A specific case of phishing is spear-phishing, when an attacker impersonates someone the victim knows or trusts, such as a friend or colleague. This type of a social engineering attack is targeted at a particular person and is often used in corporate espionage. For example, an attacker may impersonate the boss and send an email to an employee, asking them to send back confidential files.

Baiting

Baiting is a technique that is very similar to phishing. The attacker doesn’t simply pretend to be an authority. They lure the victim to share their personal information for something enticing in return. 

This is how a baiting email looks:

For example, in this email, cybercriminals present as Google representatives and promise users a free iPhone as a thank-you for their loyalty to Google. Like in the previous example, an engineering attack creates an artificial sense of urgency. Many people dream of having an iPhone, so it works as great bait and motivates people to click the link.

Another popular baiting attack is to leave an infected USB drive somewhere, hoping that somebody will pick it up and try to plug in their computer. The USB drive serves as bait because people are naturally curious to learn what’s on it. Installing a USB drive into a computer launches malicious software that makes the computer vulnerable to attackers.

Vhishing 

Vhising is a term coined by combining two words: voice and phishing. 20 years ago, the key to a successful voice phishing attack was to call the victim and to present as an authoritative figure they had never met. However, today, multiple examples of engineering attacks use artificial intelligence to imitate the voices of loved ones and family members.

A Twitter user has shared a story of a vhishing attack on his grandpa:

Instead of sending an email, the attacker may call or leave a voice message. Most people are used to spam in their mailboxes, but they tend to lower their guard in real life. For example, an attacker may call someone and use artificial intelligence to imitate the voice of a family member who is abroad and needs $5000 wired to a particular bank account. Such high-tech technology on a daily basis is still exotic, especially for elderly people, which makes people prone to falling victim. 

Smishing

Smishing is SMS phishing. If your real phone number has been compromised, scammers may try to use it to steal your personal data. 

Here is an example of a smishing attack:

In SMS phishing, criminals use all the same tricks. They may present as officials or legit businesses, promise you a gift, or both. In the example above, attackers pretend to be Walmart wanting to give you a gift. They promise that it’s easy; you just need to complete a form. Taking such messages critically can help you avoid losing money or disclosing private data to people with bad intentions.

Scareware

Scareware masquerades itself as legitimate software, usually antivirus software, bombarding the user with false security or update alerts. Often, users unknowingly install it on their computers from phishing emails or malicious ads. 

The scareware warnings may be accompanied by pop-up windows, flashing lights, or other visual and audio effects designed to catch the user's attention and create a sense of urgency. 

Here is how it looks:

The user is prompted to install the software that supposedly eliminates the issues. However, installing the scareware only causes further harm, for example, by enabling the attacker to steal personal files from the computer. This is why you should never open links for suspicious emails.

Pretexting

Pretexting involves the attacker to pretend to be someone else in real life, usually an authoritative figure. This is how they can get unauthorized access to your information. For example, an attacker may pose as a sociologist conducting a survey or a customer who wants more information about your product. 

Pretexting can be used to harm both regular users and corporations. This technique exploits the fact the natural desire to be helpful or comply with authorities. So it’s important for individuals and organizations to be aware of this tactic and take appropriate measures to protect themselves against it.

What are the consequences of falling victim to social engineering?

Falling victim to social engineering attacks can have devastating consequences. Here are some examples:

They'll steal your money

Social engineers who have managed to exploit your trust to get your private data can monetize it in multiple ways. They can authorize purchases from your card if they access your credit card information and/or phone number. They can also use social media to hack into your account and request to borrow money from your friends. Everything depends on the attackers’ creativity. And if your organization's financial information is disclosed, the damage can reach millions and hundreds of millions. 

In 2013-2015, Google and Facebook lost $100 million due to social engineering attack. Cybercriminals Evaldas Rimasauskas and his accomplices set up a fake company that pretended to work for Google and Facebook. They created bank accounts under the same name and sent phishing emails to employees of the tech giants, invoicing them for legitimate goods and services.

They'll steal your identity

Stealing identity means that other people can pretend to be you. For example, frauds can take a loan in your name or even commit a crime framing you. The consequences might take years for you to resolve. And in the corporate world, this type of attack can compromise whole organizations and put their future at risk.

In early 2022, a highly sophisticated phishing attack was reported by Bleeping Computer. This attack aimed to steal Office 365 credentials by impersonating the US Department of Labor (DoL). The scammers used phishing emails that were expertly written and bore the official branding of the DoL. They invited the recipients to bid on a government project and included detailed instructions in a three-page PDF, complete with a "Bid Now" button. When the button was clicked, targets were redirected to a phishing site that prompted the users to enter their Office 365 credentials. 

They'll ruin your reputation

Information stored on our gadgets is often very private, and a third party accessing it can cause much harm. Cases of hacks into phones and leaking personal pictures, for example, nudes, have become very common. An event like that can easily make you a laughing stock and harm your mental health. Similarly, if an organization falls victim to a data breach due to a social engineering attack, it can lose customer trust and confidence. 

In the summer of 2020, Twitter confirmed that it lost control over 130 accounts, including some of the most well-known individuals on the planet, such as Barack Obama, Joe Biden, and Kanye West. That has caused a significant public scandal and undermined Twitter's reputation for good.

Summing up

Social engineering attacks rely on a lack of digital hygiene and use psychological manipulation to trick individuals into sharing their information without their consent. Social engineers use various and creative attacks to exploit natural feelings of trust, fear, or greed. If you’re not prepared, it might be hard to resist these attacks. In the next article, we will tell you the steps you can take to protect yourself and your loved ones from these attacks. 

Words 1567

Characters excluding spaces 8107