Introduction
Social engineering attacks are more likely to trick people nowadays than other cyber-attacks. This is because they are subtle and easy to overlook. Hacking usually targets weaknesses in technology. Social engineering manipulates people's feelings to trick them into sharing private information or compromising security.
As a child I unfortunately grew up with an alcoholic mother. I became interested in how people act and what makes the brain "tick." I used to study my mum's tone, body language, and presence to know her mood. By observing these signs, I could usually tell what kind of day to expect. How people act can give you an idea of how they think.
What's interesting about this?
Growing up, I used to do what hackers do now. They try to understand your online life to manipulate you. Their goal is to make their job easier by getting into your mind.
I want to delve into social engineering. This includes discussing its tactics, real-life examples, and ways organisations and individuals can protect themselves from this manipulation.
Understanding Social Engineering
Social engineering is when people trick others into sharing private information or accessing systems they shouldn't. They use psychological tactics like trust, curiosity, fear, and greed to manipulate people.
Attackers can deceive people by creating believable scenarios to obtain private information or bypass security measures.
The Psychology Behind Social Engineering
Social engineering works because of how it takes advantage of cognitive mistakes and emotional reactions. Social engineers manipulate people's emotions to make them act impulsively. They can create a sense of urgency, build trust, or instil fear. This prevents individuals from taking the time to consider their actions carefully..
If you remember what I said above, if a hacker can really understand you based on your digital presence, their job is easy! Common psychological tactics include:
Authority: Impersonating authority figures to gain compliance.
Scarcity: Creating a sense of urgency or limited-time offers.
Social Proof: Using fake testimonials or peer pressure.
Reciprocity: Offering something of value to elicit a response.
Types of Social Engineering Attacks
There are many types of social engineering attempts, each targeting a specific behaviour in a person. The method used against you will depend on the information they gather about you online. Unless, of course, this is a lazy and crude ‘bulk’ phishing campaign that even a dear old grandmother would laugh at. Here are some examples:
Phishing
Phishing occurs when attackers send deceptive emails or messages that appear authentic in order to deceive individuals. They aim to make recipients believe the communication is coming from a trustworthy source.
These messages often contain links to fake websites that steal login credentials, personal information, or financial data. In the UK, scammers pretend to be officials from HM Revenue and Customs. They do this to trick people into giving them sensitive information. Find more information about HMRC & Phishing examples, here.
Remember, they want to make people afraid. People are concerned about taxes. If something appears official, they will likely click or download it.
Vishing and Smishing
Vishing and smishing are like phishing, but use phone calls or texts to trick people into sharing personal information. Recently, there has been a rise in vishing scams in the UK, where criminals pretend to be bank or government officials to trick people. By the way, I have no idea why, but I struggle saying the word ‘smishing’. I digress.
Pretexting
Pretexting is when someone makes up a fake situation to get information from someone else. For example, a teenager might pretend to need money in order to get it from someone. Attackers might pose as customer service agents, IT support, or colleagues to gain the trust of their victims. By establishing a believable context, social engineers can coax sensitive information from unsuspecting individuals.
Baiting
Baiting involves luring victims into downloading malicious software by enticing them with an attractive offer. Attackers may leave infected USB drives in public places with labels like "confidential" or "salary data" to lure victims. Curiosity often leads individuals to plug these drives into their computers, unsuspectingly installing malware.
Tailgating
Tailgating, or piggybacking, involves an unauthorised person gaining access to restricted areas by following an authorised individual. Attackers rely on human kindness or distractions to bypass security measures, putting physical security at risk.
Real-World Example of Social Engineering
In 2023, we saw the mother of all social engineering attacks across casinos in Las Vegas.
What started as a basic act of spoofing became a masterclass of social engineering. An attack on 29 hotels and casinos in Las Vegas caused their digital systems to shut down. This forced them to switch to manual processing. As a result, the company put customers' personal information in danger.
The hack cost victims $100-millions. Here is a cool image which outlines the process in which the hackers took.
I always mention, hackers first gather personal information online through digital reconnaissance. We always try to educate businesses on this area because it is often overlooked.
Source of image: ThriveDX
How to Protect Against Social Engineering
Defending against social engineering requires a combination of awareness, training, and technological measures. Here are some strategies to consider:
Employee Training
Educating employees about social engineering tactics is crucial. Regular training sessions can help individuals recognise suspicious behaviour and understand the importance of verifying requests before taking action.
Multi-Factor Authentication (MFA)
MFA makes accounts more secure by requiring users to verify their identity in multiple ways before accessing them. This can prevent unauthorised access even if login credentials are compromised. You can find out more about MFA here, a solution that Google offers.
Security Awareness Programs
Organisations should establish security awareness programs that promote a culture of vigilance. Encouraging employees to report suspicious activities and providing channels for anonymous reporting can help detect potential threats.
Verify Requests
Encourage employees to verify requests for sensitive information or actions. This can involve contacting the requester through official channels or seeking confirmation from supervisors. Particular caution should be adopted about requests related to banking and tax matters.
Conclusion
Social engineering is a formidable challenge in the realm of cyber security where attackers frequently target individuals and organisations. By exploiting human psychology, social engineers can bypass even the most robust technological defences. To stay safe from threats, people and businesses should understand the tricks and strategies used by social engineers.
We can reduce the risks of social engineering by being aware, trained, and using technology. This will help protect sensitive information from getting into the wrong hands.
Being aware means being cautious and alert to potential threats. Training can provide us with the knowledge and skills to identify and respond to social engineering tactics. Using technology can also help us implement security measures to safeguard our sensitive information.
Comments