Social Engineering: Classification & Prevention

By Ayesha Yousuf

Introduction:

The development of modern technology brings millions of people countless advantages, but those advantages also bring forth disadvantages in a package. As the world is going towards development and modernization cyberattacks have become an apparent part, targeting some of the most prominent organizations of the world.

Let’s dive in and discover the world of social engineering — its classifications and how efficiently not to become a prey of it.

What is Social Engineering?

Social Engineering is an art, where an attacker manipulates people to extract confidential information. That information could be used in various ways by the criminals. Individuals are targeted to install malicious software that could give cybercriminals access to their operating systems, fill up forms to give private information and send payload links that would disclose the session of the victim to the attacker. However, it is relatively easy to fool someone into giving their credentials rather than cracking their passwords (unless it’s a weak one).

What Does a Social Engineering Attack Look Like?

To take advantage of your curiosity, it is often observed that people become a victim of such a kind of social engineering attack. When a cyber attacker gets access to an email account of the victim, the hacker sends malicious emails to all the contacts of the owner. Since the email is from a friend, the receiver is curious to know what the link contains without counting the benefit of the doubt. Once clicking the link the cyber attacker could get the access just as he/she got from the first one. Often the email also includes a download link, that link has embedded malicious software, once downloaded the criminal enters the operating system and can have access to the system, email, contact, in this way the malicious actor chains their attack and hack into the whole organization.

Classification of Social Engineering:

Human error is one of the biggest weaknesses in any organization’s cybersecurity strategy. Social engineering attacks take advantage of human vulnerability by tricking unsuspecting people into compromising security and giving out sensitive information. Attackers can then breach your physical or technological security to steal money or confidential information. They use various psychological hacks to trick you into trusting them or create a false sense of urgency and anxiety to lower your natural defences.

Here are some classifications of social engineering which led to disastrous incidents in history.

Phishing:

Phishing attacks are one of the most popular social engineering attacks. This is usually done through scam emails where a situation of urgency is explained, through which the attackers requests for some kind of logins, money transfer, making users perform unwanted action or giving up some of their privilege.

For instance a friend of yours becomes a victim of social engineering. He is robbed and beaten and is asking for help. If you receive such a message via email or any compromised social media handle of your friend, asking for a money transfer, you would probably be helping that friend. Such scenarios happen a lot when phishing is done.

Scammer send you an email, to “verify” your credentials:

Criminals opt this way and ask the recipient to verify his/her credentials. Since the tone of the text is so accurate including the logos used the recipient is oppressed to believe in the situation and become a part of such a racket. These types of phishing scams often include a warning of what will happen if you fail to act soon because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.

Notifying you are a winner:

The scammer could include such information which indicates that you are a lottery winner or the millionth user of some popular brand and have won something luxurious. To claim the prize they ask you to fill out information of your bank account so they could enroute the prize money and once you give the details, you are basically handing over your most essential asset due to your greediness. They are called “greed phishers’ ‘ as they use small pretext but since people are so curious to find out what is the prize they end up giving the relevant information to the scammers.

Ask for a donation:

Some phishers use this top of the mind tactic to lure people into social engineering. They send a prepared message of generosity and kindness, including instructions on how to send the money. In the act of kindness some people become part of the scammer’s scheme and give the money in the name of donation.

Whaling:

Whaling is another kind of phishing where the scammers attack the high officials, government employees or top executive level individuals. Whaling attack is usually carried out by spoofing a high official email and through that email other executives are targeted. The particular email contains an urgent and fake message or a time sensitive information that triggers the receiver to act accordingly to the message conveyed.

If the person acts according to the message he/she comes into the loop of that attack. This could potentially lead towards loss of confidential information which only resides under directors or high officials.

Response Of a Query You Never Submitted:

Cybercriminals in this scenario could be giving extra help that you have never asked on behalf of a company. The criminals use the name of a famous company whose service people usually utilize. If you are subscribed to that company’s service then there is a really high chance that you would accept the criminal’s message, email or phone call. This happens in such cases also where the person actually needs help and a tailored scammed response from a company itself is an indicator that they care about their consumers.

Even though you didn’t ask for help, to buy such an opportunity and use the free offer you respond to the query. Once you reply to the attacker’s message, you basically let that criminal enter into your system and open yourself up for exploitation.

The representative, who is actually a criminal, would want to “authenticate you” and would ask for you to give the remote access to your system all of this in the name of help. It could also be done, if you are following the criminal’s instruction, he guides you all the way through making spaces for him to enter later and do his favorite job i.e extracting needed information and use that for various money draining purposes.

Baiting:

The social-engineer knows that if you dangle with what people want, many people would easily take that as a bait. These schemes are often found on peer-to-peer websites, social media channels, malicious websites that are found through search results, or they are shown on classified websites as ads.

To allay your suspicion, the criminals smartly create fake audiences on the website or social media handle. This gives a positive view, and thus the user takes the bait to fall under the category of social engineering.

The victim who takes the bait can now have malicious software in their systems which may lead to numerous exploits and their contact. They could also lose their amount without receiving anything they bought. If the criminal is successful in receiving your credit/debit or bank details then you may find your account empty the other day.

Pretexting:

Pretexting is basically a more sophisticated type of social engineering where the scammer uses a fabricated scenario. The constructed scenario is so legitimate that it makes the receiver believe it and become a victim of it. The distinguishing feature is that the attacker comes up with such a kind of “pretext” that fits to your liking and most importantly grabs your attention. To ply trade pretexting is commonly used by scammers against companies or even individuals to get access into the financial accounts.

The criminal can easily con you to provide your social security number and even your bank details.

Scareware:

Scareware is a form of social engineering that attempts to create fear in the hearts of victims. The cybercriminal basically interjects itself to the website and makes the screen pop with an indicator that shows your computer is containing a destructive virus. The idea is to convince the victim that their PC or device has been infected with malware, putting their information and privacy at risk. Scareware is often used in conjunction with malicious code in order to gain access to sensitive data.

This leads to a situation where the user due to fear accepts the installation of antivirus which the pop up shows. The downloaded antivirus could be malicious software that spreads throughout your system to infect it. The cybercriminal could also get easy access to all of the information you have stored in your device. Similarly scareware can be any other thing which targets the insecurity of the victim.

Don’t Become a Victim:

Social engineering attacks target your organization’s greatest vulnerability: its people. This is why adopting a holistic approach to security that combines technological tools with comprehensive training for employees and executives is the key to preventing these types of attacks. Here, we leverage our deep insight into cybercriminals’ methods to provide social engineering prevention.

Beware of Email Hijacking:

Hackers, spammers and social engineers are gaining control of people’s email accounts (and other communication accounts) with increasing regularity. Once they control an account, they prey on the trust of the account holder’s contacts. If you aren’t expecting an email with a link or attachment, contact your friend before opening links or downloading files. Even when the sender appears to be someone you know. We need to build a culture of suspiciousness around links — so that hackers can no longer count on the fact that we trust links in our inboxes by default. One simple way to protect yourselves is to always look at the URL address of the link and whether the source is trusted or not.

Research The Facts:

Be cautious of any suspicious emails that appear to be from companies you use. Do not click on any links within those emails. Scammers often go to great lengths to make the fake email look like it is real, including making them look like they are coming from companies you trust. Because with use of weak SPF records the hacker can send mails from the company’s email addresses. Research the supposed companies yourself by searching online or calling a number found on the company’s official website. And if the mails are getting sent to your spam folder then there is a high chance that it was sent by an attacker by tweaking SPF records.

Foreign Fake Offers:

Be wary of email messages that promise a job in a foreign country or someone who tells you that they can easily help you to immigrate. Whenever you receive such messages online, always try to confirm the credibility from the authentic source. If someone offers you a job and requests information such as account numbers and Social Security numbers or that instructs you to send money to claim your prize, first contact the official mail of that particular company and ask for a confirmation of the job. If you receive emails that fit this description, DO NOT REPLY and do not provide any personal information.

Training To Learn Psychological Tigers:

Social engineering attacks are not always easy to detect, so it is essential to understand the tactics they use. Attackers may masquerade as trusted entities (like your bank or a big brand) or familiar people, like colleagues or friends. They may create a false sense of urgency by provoking fear or excitement in their victims, causing them to act quickly without thinking. Other times they will use a victim’s curiosity, sense of indebtedness, or conditioned response to authority against them. Avoid such situations and think carefully before you act, as a click could change your and others’ lives.

Training Of The Staff:

Be suspicious of unsolicited communications and unknown people. Check whether emails genuinely come from their stated recipient (double-check senders’ names and look out for giveaways such as spelling errors and other illiteracies). Avoid opening suspicious links, hover on the link before opening it to check its legitimity.

Practice To Set Up Spam Filters:

Take these simple steps to stop spam in its tracks. Every email program has spam filters, which are handy when it comes to getting rid of junk mail. Simply look at your settings options, and set these to high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.

Optimizing Security Of Your Device:

You can protect your computer and mobile devices from viruses, spyware and other threats by installing anti-virus software, firewalls, email filters and keeping these up-to-date. Set your operating system to automatically update, and if your operating device doesn’t automatically update, manually update it whenever you receive a notice to do so. You can often use an anti-phishing tool offered by your web browser or third party to alert you to risks.

In a Nutshell:

Creating a positive culture for security is critical but through practise and preventions it may lead to less contact with such rackets. In order to keep the security top notch, implementation of such precautions are highly needed. Advanced and latest offensive cybersecurity tools should be a part of every organization and individual practice to be safe and secure from such cyberattacks and social engineering. Being aware of how social engineering is performed is also an essential step in preventing it because no matter how perfect we try to make our software, there will always be scenarios where attackers will be able to perform social engineering, therefore it is our duty to keep ourselves aware of these attacks and always be cautious of them.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store