Social engineering or social hacking is an attack-type where cyber-attacks/ data breaches are orchestrated by cybercriminals using a wide array of methods that exploit human nature and trust, rather fully relying on technology. Having breached human trust and confidence, cybercriminals gain access to confidential information, digital/ physical business resources/ infrastructure, or get the user (employee/ client/ customer) to download malware, send money or perform actions that are dangerous.
In the article, the dangers of social engineering and prevention methods will be explored in depth.
The core of social engineering is human trust and confidence. Ample time and resources are spent by attackers to research about the victim. Key insights (potential entry points, weak protocols, etc.) are gathered and a combination of words and actions along with technology (emails, voice calls, etc.) is leveraged to deceive the victim into trusting them before proceeding with the attack.
Social engineering is so dangerous because of the element of human error by legitimate users and not necessarily a flaw in software or operating systems. So, it is important to know how/ in what ways human beings are manipulated by social engineers to accomplish their goals to effectively protect against these.
90% of all cyber-attacks are initiated by phishing. Delivered through email (often bulk email campaigns), chat, digital ads, website, and social media, among others, the messages in phishing attacks impersonate real/ legitimate systems and organizations such as banks, NGOs, major corporations, legitimate charities or even one’s employer.
The messages are crafted to instill a sense of urgency or fear that coax the user to do as the attacker pleases (give access to confidential information, download malware, wire money, etc.). For instance, the attacker could pose as the CEO of the company and send out emails to employees urging them to take some action that would divulge login credentials to the attacker.
While phishing usually is orchestrated as a bulk campaign, personalization and individual targeting are achieved through spear-phishing. It is one of the key weapons in the arsenal of nearly 70% of hackers in the US, who are known to regularly use the method to initiate hacking. This is despite the larger amount of time and effort required to pull off spear-phishing.
For instance, the attacker may pose as a banker and demand credit card details of the victim claiming that the card is about to be blocked or that the victim can avail additional benefits.
As the name suggests, the victim’s interest/ curiosity/ greed is piqued by offering them something they are looking for and enticing them to download malware on their devices or divulge personal information.
This method is often used by social engineers on peer sharing sites, movies, or music download sites or even physically through a company-branded flash drives left on a desk. Baiting can also be delivered in the form of too-good-believe online deals, spurious emails offering free coupons, etc.
This social engineering type is orchestrated by crafting clever and seemingly genuine communication (emails/ phone calls/ direct). Here, critical information is extracted from the victim by the attacker impersonating a colleague/ right-to-know authority figure and developing trust.
For instance, the attacker could call the victim claiming to be X from the IT department and collect login information on the pretext of conducting an audit.
Here, the physical access to business assets is obtained by the attacker/ unauthorized person by following an authorized person into a restricted area. For instance, the attacker could bypass physical security by asking an employee to hold the door because he/ she has forgotten their ID. The victim could be requested to lend their PC/ laptop for a few minutes during which the attacker could install malware.
1.For the employees and customers,
2.From the organizational end,
Conclusion
The ease with which they can be tricked makes social engineering attacks the most dangerous. 63.8% of all businesses have been victims of one or the other form of social engineering. So, every type of business, irrespective of size, nature, or domain of operation is at risk of social engineering attacks, highlighting that ongoing education and awareness are necessary to prevent these attacks.
This post was last modified on November 14, 2023 11:27
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security… Read More