Your Emotions and Your Data Security are Closely Related. Find Out How!
If we were to tell you that you could be manipulated into giving your most confidential information to a stranger, you would probably think that that could never happen. But it is possible, and it happens more often than you think. This is what social engineering is, one of the most commonly used psychological manipulation techniques used by hackers to get people to say or do something that they wouldn’t under normal circumstances. The hacker’s end-goal behind manipulating the victim like so is to get access to some sensitive and confidential data, either personal or business related, which the hacker could use to further his own monetary or other interests.
It’s worth noting the human component involved in the social engineering attacks. Such attacks are different from your typical hacking attacks. While hacking typically relies on the vulnerabilities in the hardware and software you use, social engineering relies on exploiting the basic human emotions and tendencies. As a result, social engineering attacks are difficult to detect and avoid.
What Happens In a Social Engineering Attack?
To recognize if you’re being targeted in a social engineering attack, it’s necessary to understand how such an attack usually takes place.
A social engineering attack occurs in multiple stages. The attacker starts by researching his potential victims. In the research stage, the attacker tries and learn as much as he can about the target to understand the weaknesses that can be exploited. Once the attacker knows enough about his target, he begins planning his attack strategy that is likely to work on the target. This strategy could involve communicating, either via email or some other method, with a message that plays on the emotions of the target user. To make sure that the target falls for these messages, the attacker would pretend to be a trusted source. So, the attack begins with the attacker gaining information about the targeted victim and subsequently gaining the victim’s trust. What follows next is the launching of the attack itself through clever tactics.
7 Major Types of Social Engineering Attacks
We’ve studied the basic structure of a social engineering attack. But, if we get down to the specifics, then social engineering attacks can assume various forms. Here is a rundown on the major kinds of social engineering attacks that you should know about:
One of the biggest threats to data security today, phishing is a social engineering attack that can vary from being simple and obvious to complex and sophisticated. This type of attack can be carried out via email, web page, SMS, social media, etc. The message used in phishing could lure the user into giving away personal information like bank account details or important login credentials. A phishing attempt may also have the intent of deceiving the user into downloading a malware on their system. Phishing is thoroughly discussed in this article, that you should give a read: "What is a Phishing attack".
A lot of corporate organizations provide RFID cards to their employees to ensure that only the relevant personnel is able to enter the restricted areas of the office. The use of tailgating in social engineering is when someone unauthorized tries to enter an electronically restricted zone of an organization with the help of someone authorized (who doesn’t know that the person they are helping out in entering the restricted area is unauthorized and harbors malicious intentions).
The perpetrator may act friendly with the authorized person, casually making excuses about how he has misplaced or forgotten his own access card. The unsuspecting authorized person, who is the victim of the tailgating social engineering attack in this case, may not be able to see clearly through these excuses and may allow the perpetrator to enter the prohibited area. Once the perpetrator is in, he has freedom to do anything he wants, from stealing information to plugging in a virus.
Spear phishing is a type of phishing attack, only more specific and personal in nature. It is a good example of perpetrators in social engineering attacks doing a detailed research about the users that they want to target. The success of a spear phishing attempt heavily depends on the degree of personalization used in the messaging of the attack. The perpetrator would acquire substantial amount of information about the target users, by going through their online and social media activities. Using this acquired information, the perpetrator would prepare a highly personalized message that would come across as genuine to the target users. The message could mention an event that has happened in the user’s life or a person whom the user knows. With the message reflecting key details from their life, the users would easily be persuaded into thinking that the message is authentic.
Yet another type of phishing attack, whaling differs from phishing and spear phishing because of the type of users that it targets. A whaling attack is directed at users who wield great power, money, or reputation. Think senior executives within a company, like CEO, CFO, or anyone who is a senior-ranking employee. Given the extent of decision-making power as well as confidential information that such target users would possess, perpetrators stand to gain a lot if they manage to succeed in tricking these users.
A social engineering attack isn’t limited to the online landscape. When a phishing attack comes via a phone call, it’s called vishing. The perpetrator calls the potential victim and tries to convince them to reveal their private information. An example of vishing could be a phone call that informs you that you have been selected as the winner of a lottery and that you need to share your bank account details so that the money can be transferred to your account. There is no lottery or money here, only a malicious attempt by a social engineering attacker to extract sensitive data from you.
Quid Pro Quo
The name of the attack itself suggests what happens in such a social engineering attack. There is an exchange between the target user and the perpetrator, which the target user considers to be harmless because they are unable to perceive the perpetrator’s real motive. The perpetrator prompts the user to disclose personal data and in return promises to perform a service or give money/free items. For instance, the attacker may promise to fix a fictitious technical problem for the user in exchange for the user’s network and system credentials. If the user falls for the temptation of having their non-existent technical problem fixed by this godsend “technical expert”, they would share the sensitive details without hesitation and end up endangering their network security and data security.
The type of bait in social engineering could be a physical or a digital one. If you find an abandoned pen drive lying around in a place that you frequently visit, chances are that it is infected with a malware and has been left there deliberately by an attacker, who knows very well that the object would grab attention of some or the other person. One who takes the bait and tries to find out what’s inside the pen drive, would become a victim of the malware contained in the pen drive. There are plenty of baits to be found in the digital world too. An online ad that promises 1 million dollars if you click on it, is nothing but a digital bait, that will only give you malware.