The internet can give us a false sense of security when it comes to our personal and financial information. We might be hidden by a screen, but hackers expertly use tactics to access the sensitive information we want to keep private. Social engineering is one of many deceptions used by cybercriminals for fraudulent purposes. In the context of information security, social engineering is psychological manipulation in which criminals persuade victims to perform actions or divulge confidential information. Cybercriminals present themselves as unassuming or respectable individuals who then piece together personal information using common human interaction.
Social engineering is a malicious attack method and accomplished through human interactions. Hackers use psychological manipulation to trick victims into making security mistakes, such as willingly providing personal information. Hackers will often conduct research on the victim prior to engaging them and scope out potential vulnerabilities. The cybercriminal will gain the victim’s trust by storytelling or relationship building. For example, a hacker using a dating app may convince the victim, once they have formed a bond or relationship, that they need money for a family emergency. Because of this false bond, the victim offers money and/or personal information in order to help someone they think they know or care about. The lifecycle of a social engineering attack often circulates as followed: preparing the ground for attack, deceiving the victim to gain a foothold, obtaining the information over time, and closing the interaction without arousing suspicion.
Methods of Attack
There are many methods of attack to be aware of. Social engineering can come in many forms and be performed on any platform, such as dating apps, email, social media, chat rooms, etc. Baiting, scareware, and pretexting are three most common methods of social engineering.
- Baiting: Baiting uses a false promise to draw a victim into a trap where a hacker can steal personal or financial information or inflict their system with malware. Today, baiting often comes in the form of enticing online ads that lead to malicious sites or encourage users to download a malware-infected application.
- Scareware: Scareware is a malware tactic which manipulates victims into believing they need to download or buy malicious and often useless software. Scareware uses social engineering in order to take advantage of a victim’s fear by coaxing them into installing fake anti-virus software. Unfortunately, the presence of a fake alert indicates that the computer has already been infected, and a third-party solution will need to be involved for it to be removed.
- Pretexting: Pretexting is a tactic used when a cybercriminal attempts to convince a victim to give up valuable information or access to a service or system. The pretext normally portrays the hacker as someone of authority who has the right to access this information. For example, a hacker can pose as an employee at Best Buy and convince the victim that they need to purchase an infected software in order to fix or protect their device.
What We Can Do
There are common indicators of social engineering we can be aware of in the future. These indicators include suspicious sender’s address, generic greetings and signature, spoofed hyperlinks and websites, spelling and layout of message or website, and suspicious attachments. To avoid being a victim of social engineering, be suspicious. Do not provide personal or financial information about yourself, your organization, or your family/friends. Social engineering is deceiving, but by learning more about tactics, techniques, and methods of attack, we can secure our cyber safety for the future.
For more information and resources on cybersecurity, visit our learning center.