Social Engineering Attacks-Psychological Manipulation

He wants to know, what you know...? Better keep it with you...!

Social engineering attacks are not only becoming more common against enterprises and SMBs, but they’re also increasingly sophisticated.

Hackers prefer social engineering because it’s much easier to hack a human than a business. Social engineering attacks allow the hacker to combine multiple efforts and even cover their tracks, because they can use the human to take money or install malware under their persona.

Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.

Email is one of the most common entry points for attacking an enterprise or individuals. Email security is a highest -New priority for all businesses and also individuals, with the growing threat of hackers, viruses spam, phishing and identity theft, as well as the need to secure information.

What are the common social engineering attacks made on companies, and how can they be prevented?
  1. Phishing
  2. Pretexting
  3. Baiting

1. Phishing

“Phishing” uses fraudulent email messages designed to impersonate a legitimate person or organization and trick the recipient into downloading harmful attachments or divulging sensitive information, such as passwords, bank account numbers, and Social Security numbers.

Phishing scams can have a number of different goals
  • Target your cash and payment card data
  • Gain control of your computer and local network resources
  • Gain access to your University Computing Account and resources
  • Phishing scams typically attempt to take advantage of you by:
  • Delivering file attachments that can infect your computer with harmful software
  • Enticing you to click on links to Web sites that infect your computer with harmful software
  • Tricking you into sharing your username and password so hackers can gain access to your network or other sites
You can identify a phishing scam by looking for email messages that
What’s the most dangerous Social engineering threat to organizations?
  • Create a sense of urgency
  • Invoke strong emotions, like greed or fear
  • Request sensitive data
  • Contain links that do not appear to match legitimate resources for the organization that is contacting you
Examples of Phishing Scams
  • Outlook Webmail Update
  • Banking Link Scam
  • Password Expiration Scam from Pitt Address
  • Overdue Invoice
  • Important Mail Notice from Blackboard
  • Dropbox Link Scam: Have we got a surprise waiting for you in Dropbox
  • Library Account Expiration Notice
  • Unusual Sign-in Attempt
  • DHL Letter Pick-Up
  • Mailbox Almost Full
  • Webmail Certificate

A recent scam sent phishing emails to users after they installed cracked APK files from Google Play Books that were pre-loaded with malware. This specific phishing campaign demonstrates how attackers commonly pair malware with phishing attacks in an effort to steal users’ information.

To protect yourself from Phishing
  • Check the Domain on Your Phone and Desktop
  • Look for the SSL on Desktop and Mobile
  • When Using Social Media, Limit Surveys and Games

More about Phishing Click here

2. Pretexting

Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity.

The Pretexting goal is to obtain personal information about you, such as your SSN, your bank or credit card account numbers, mother’s maiden name, information contained in your credit report, or the existence and size of your savings and investment portfolios.

Examples of Pretexting

We all have probably, at one time or another, received an email claiming to be from a Nigerian Prince who needs you to transfer some amount of money, which will lead to great personal riches. We pretty much all know that these are ridiculous and would hope that no one is actually falling for them. Then there are the slightly less obvious but still ridiculous emails stating that they are from FedEX, UPS or some other shipping company, stating that you have a package that they are unable to deliver. These unfortunately do work sometimes, but they really shouldn’t. The list goes on; fake PayPal, Bank of America, etc. phishing emails are abundant.

To protect yourself from pretexting

Never provide personal, confidential, or financial information to individual initiating contact with you. If they claim to represent a company you do business with, tell them that in order to protect yourself against identity theft, you will need to reinitiate contact with this company.

  • Never use your pet’s name (or children’s name) as a password.
  • Ask your financial companies about their policies for preventing pretexting.
  • Be VERY careful if you answer surveys-and certainly don’t give out any personal information to anyone who calls on the phone or asks via email. If you do answer survey questions, use common sense and don’t give out any information that could be sold or used by pretexters.

3. Baiting

Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, may distribute malware-infected flash drives or similar devices to employees, hoping that this hardware will be inserted into network-connected computers as the means to spread malicious code. Infected flash drives may be presented to employees as promotional gifts or as a reward for participating in a survey.

Examples of Baiting

Peer-to-Peer sites offering a download of something like a hot new movie, or music. But the schemes are also found on social networking sites, malicious websites you find through search results, and so on.

People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.

To protect yourself from Baiting

The strongest defense against baiting and any other social engineering scheme is educating yourself or your team.
Should strive to have a strong security culture within our surroundings, BLOCK USB devices in order to reduce the risk of Baiting. Baiting is the digital equivalent of a real-world Trojan Horse, where the attacker tempts users with free or found physical media (USB drives) and relies on the curiosity or greed of the victim – if they plug it in, they are hacked!

User two-factor authentication in order to make it more difficult for hackers to enter your premises.

Conclusion

Social engineering is a serious and ongoing threat for many organizations and individual consumers who fall victim to these cons. Education is the first step in preventing your organization from falling victim to savvy attackers employing increasingly sophisticated social engineering methods to gain access to sensitive data.

About Prasad Paul 51 Articles
Prasad Paul is a Technical Writer, Security Blogger, Network Engineer and IT Analyst. He is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.