Most cyber criminals and hackers are master of human manipulation
and deception before they are experts in hacking and technology, because if
someone gives you their own password, it's much easier than trying to hack it. This is the idea of social engineering. So, let's see what social
engineering is. And what are the common techniques? And how do we prevent
ourselves from its attacks?
In general, protection and security means who you trust and what you trust. It is important to know when you trust someone and how you know that the person is really the person they claim to be. The same is true for social networks and websites. When do you trust a website that is real, and you can really share your information with them?
Social engineering is a set of techniques to influence and deceive human beings to give you their important and confidential information by their own hands. This means that unlike other cyber-attacks that focus on vulnerabilities of the system, network and devices, social engineering targets human weaknesses, so it is often called human hacking.
The cyber criminals who use social engineering are called social engineers whose aim is to obtain private, important, and confidential information, whether to steal or manipulate or corrupt them, and even to delete them.
Like most types of manipulation and deception, social engineering is based on trust, a false trust. After that, persuasion comes, we generally have four stages in each social engineering attack:
1. Preparation: The social engineer collects information about the victims, for example where he/she can access them, such as social networks, e-mails, SMSs, etc...
2. Infiltration and personalization: The social engineer approaches the victims, presenting themselves as a trusted and legal person and to prove that they use the information they have already collected on the target.
3.exploitation: The social engineer uses his/her ability to persuade the victim to ask for information such as passwords, payment methods, contact information, and anything else that is useful for them.
4. Disengagement: The social engineer breaks communication with the target after the data is obtained and the data is accessed.
According to the type of attack, each of these steps can take from hours to months.
tactics of social engineering attack
Social engineering can occur everywhere, whether online or offline, unlike common cyber-attacks that occur secretly and without notice, attacks by social engineers occur directly before your eyes.
1. A friend sends you a strange message: Social engineers can present themselves as trusted people in your life as your friends, your manager, your colleagues, and even your bank organization. they will send you a message on their behalf containing harmful links.
2. Working on the emotional side: the less our feelings are under our control the more our defense will be weaker in front of social engineering, feelings such as fear, excitement, curiosity, anger, guilt, sadness will be the targets of social engineers. So, think twice before your online interactions.
3. The request is urgent: Social engineers don't want you to think about their techniques twice, so most attacks contain a kind of urgent and haste as it asks you to enter your information directly or asks you to download security program because your device contains viruses.
4. The offer feels too good to be true: Have you ever received a message that you haven't asked for? Even great news that you've won a lottery or got a license of a service for free.
5. You will receive help and services that you didn’t ask for: Social engineers may contact you as a representative of a company that solves a problem that you have, for example, you have a technical issue and they contact you as a support team, so you will give them direct access to edit your system.
6. The sender can’t prove their identity: For example, when you suspect someone and ask him to prove his/her identity by video call, he/she refuses.
Like most cyber-attacks, social engineering has many forms and techniques that continuously evolving, these are some of its common types:
1. Scareware: As it appears from its name, Scareware is a type of malware created to scare you and do something. It often comes to you in the form of emails and popups and asks you to do something directly, for example, "downloading a program to clean up harmful viruses and files", which is the virus itself.
2. Hacking emails and contact spamming: It is human nature that cares about the message of people they know, and social engineers know this very well, so they take their emails and use phishing techniques.
3.Access Tailgating: A type of social engineering in which the person physically follows you and accesses an organization’s network or devices through you, for example, holding a large box in his arms that shows his or her hand is full to enter through your fingerprint.
4. Phishing: Is a common way to get information and data from an unaware target, generally the social engineer sends a message to their target as an organization or someone else and asking for an action from them, such as verifying their email or downloading a specific program. It's worth mentioning that phishing has different forms and types.
- Spam phishing: Which is often sent in bulk to many users.
- Spear Phishing: Unlike Spam, it targets only one person or organization as celebrities and important peoples.
- Vishing: This type of phishing is performed voice messages. It may be an automatic message and may talk to you personally to build more trust.
- Smishing: This type of phishing is performed through SMS.
- Email phishing: One of the traditional and most common types of phishing sent by email.
- Phishing link: is a falsified link you receive that contains malware
- in-session Phishing: Occurs when you're on your account or platform and you're suddenly being asked to login again.
In the phishing example, the social engineer may present himself as your bank's organization and ask you to click on a link and entering your detail there. Those who click on the link will take them to a fake website like the original site, so when you enter your information, it goes directly into the pocket of a social engineer.
5.DNS Spoofing: Also known as cache poisoning, occurs when the browser is manipulated, and users are directed to a harmful website. In 2018, $17 million in bitcoin was stolen from users of the MyEtherWallet website.
6.Baiting: This type often occurs on social medias when someone asks you to download a video or piece of music that is secretly linked to the virus. Or the engineer may leave a USB in a public place that loaded with viruses and anyone who plug it to his device immediately the virus will be transferred to his device.
7.Physical breaches: The social engineer may show himself as an IT expert and go to an organization to repair the staff's equipment so that he/she will have full power over the devices and can set up his/her own keylogger program on them.
8.pretexting: The social engineer himself creates a story that he knows it will capture of his target’s attention, Once the story hooks the person, the engineer tries to deceive him and get his confidential data.
9.Watering hole attack: In this way, only one page of a well-known website is targeted, a page with many visits thus reaches the highest number of victims.
10.Quid pro quo: It often happens on gaming platforms when someone sells game activation code or cheat codes and asks you to give him/her your account to finish your work eventually you'll never see your account.
How do you avoid social engineering attacks?
The best defense and protection against these attacks is to educate yourself of their attack types and signs so that you can easily recognize them, and consider the following instructions:
When using the Internet: the first line of defense in social engineering is yourself so be aware of these points:
- Don't open a link you didn't ask for.
- Don't publish too much personal information.
- Be careful with friends you know only on the Internet.
- Recognize the signs of social engineering.
secure your account and network: After your awareness, you need to protect your network and accounts, where you carry sensitive and confidential information.
- Use two-factor authentication.
- use strong and unique passwords and change them quickly.
- Use a software to manage your passwords.
- Set high spam filters.
- Do not allow strangers to use your Wi-Fi.
- Use VPN.
- monitor your account activity continuously.
Secure your devices:
- Don't leave your device unattended.
- Use an antivirus and security program (we recommend Kaspersky).
- keep your software and systems up to date.