The term “social engineering” (also psychotechnics) is now used in a broad context. It primarily refers to the psychological manipulation and abuse of certain techniques in order to trick a person into taking some decisions and actions. Kamil Mazur, Information Security Specialist at ERGO Technology and Services S.A., points out six rules that can protect you from social engineering.
This article focuses on the use of social engineering for various types of cyberattacks. How do attackers use social engineering? How can you protect yourself against this and what should you look out for? These questions are answered below.
One of the most well-known hackers who is famous for his use of social engineering is Kevin D. Mitnick, who aptly stated in the title of his book – “I broke people, not passwords.” There is no doubt, therefore, that skillfully used social engineering significantly increases the chances of a successful attack.
Before we move on to discuss various methods of attack, let’s deep dive into the types of technique used. The most popular social engineering scams boil down to:
Phishing is one of the most widely used weapons of cybercriminals. It owes its popularity primarily to the COVID-19 pandemic, which drove our lives online more than anything before. It is enough to point to the spread of remote or hybrid work, online shopping or e-government services.
With this in mind, it can be concluded that the more potential victims there are, the more types of scams there will be. Classic phishing, most often, is not personalized in any way and is simply sent in bulk as an email or a text message. Phishing poses many threats such as credential or identity theft and device infection. Sometimes phishing itself is just a preliminary phase of a larger and more organized attack on a company. Spear-phishing relies on a more advanced technique and usually targets a specific person. The attack is planned in detail and targets the victim’s weaknesses, which makes it even more difficult to prevent.
Similar mechanisms are used by vishing, which involves all kinds of voice calls, most often telephone calls. In all these cases, social engineering is used to defraud. Often, the criminals follow some well-known fraudulent schemes and scenarios, e.g.: they impersonate a banker or a police officer. Their objective is to exert pressure and force the potential victim to act without thinking. This combination is usually a fast track to bad decision-making – by the time the victim realizes they have made a mistake (such as transferring their savings to an unknown account) it may be too late to reverse it.
Another form of social engineering that is typically used to steal data is pretexting. As the name suggests, the attacker uses a pretext or a made-up scenario to gather sensitive data and information. An example would be a phone call from some well-known institution. The person on the other side uses their supposed authority. They pretend to have a “very important” message for us, but before they share it, they want to verify our identity. For the sake of our safety, of course. Practice shows that the opposite is true. In most cases, the victim will be interested in the message, especially if someone is impersonating a trustworthy institution. Unfortunately, the message does not exist, and the attacker will obtain our personal or other sensitive data. These can easily be used for further attacks and scams.
When discussing social engineering issues, it is worth noting fake news. Keep in mind that false information alone does not necessarily constitute an attack. Nevertheless, it may facilitate the actual attack – phishing, for example. Fake news alone, used on a mass scale, can do a lot of damage and influence the behaviour of the public, which fulfils the premise of ideal social engineering. This is perfectly illustrated by the misinformation related to the current Russian-Ukrainian war. We are observing a spread of fake news, whose main purpose is to cause panic among the public or, in many cases, to draw attention to the fake news services to facilitate the theft of credentials.
Despite the wide range of cyberattacks that use social engineering, we can effectively defend ourselves against them. All we need to do is to develop a few habits that will certainly help us recognize the aforementioned scams. If you have any suspicions, remember to follows these steps.
The list of scams and social engineering techniques presented above is certainly not exhaustive. Remember that attacks can be carried out in hundreds of ways, and more of them are being created every day. Social engineering is, has been, and will continue to be an effective weapon in the hands of cybercriminals. Much depends on the technical skills of the attacker, but for sure the skillful use of psychological tricks, the art of manipulation and the proper selection of a potential attack victim are equally important. Of course, we must not panic and be suspicious of everyone around us, but there is no doubt that knowledge of basic social engineering methods is a necessity in today’s work environment as well as in private life.
Text: Kamil Mazur, Information Security Specialist at ERGO Technology and Services S.A.
When data is breached by cybercriminals: https://next.ergo.com/en/Cybersecurity/2021/Data-cybercriminals-cybersecurity-phishing-spear-phishing-tailgating-piggybacking.html
Multifactor authentication is not a panacea: https://next.ergo.com/en/Cybersecurity/2021/Multifactor-authentication-MFA