Social engineering is a technique for obtaining information widely used by experienced hackers and spies and, since it involves (especially in the last phase of the attack) a more direct relationship with the victim, this technique is one of the most important to steal information.
In many cases the so-called social engineer manages to get everything he needs from the victim, completely unaware of what is happening to her.
What is social engineering?
When we think of cybersecurity, we think all about how to defend ourselves against hackers who exploit technological vulnerabilities to attack data networks.
But there is another way to penetrate organizations and networks: to exploit human weaknesses.
This practice is known as social engineering and is based on convincing someone to divulge information or to grant access to data networks.
For example, an attacker could pose as a customer service technician to get information such as a username or password.
It is surprising how many people do not think before disclosing such information, especially if the request seems particularly compelling.
Put simply, social engineering is the use of deception to manipulate individuals into divulging information or data, or granting access to them.
Who is the social engineer?
A social engineer, to define himself as such, must be able to be convincing with words designed to favor the success of his work, using effective psychological techniques to grip the unsuspecting victim.
Among the psychological techniques most used by attackers, we remember the following:
- Authority: pretends to be an expert or a superior
- Fear and guilt: describes to the victim the alleged negative consequences of a lack of cooperation
- Ignorance: takes advantage of the victim’s lack of technical knowledge
- Compassion and good intentions: take advantage of the victim’s altruism
- Desire and greed: leverages the victim’s desire to get rich or achieve other goals
Types of social engineering attack
Attacks can be very different.
As the name suggests, baiting implies a physical bait that the victim must take for the attack to be successful.
In fact, it is based on the use of a trap, such as a USB stick or a file containing malware.
This attack uses a pretext to gain attention and persuade the victim to provide the information.
For example, an Internet survey might start with innocent-sounding questions and then go on to ask for banking information.
Phishing attacks exploit an email or text message, apparently coming from a trusted source, asking for information.
Spear phishing, on the other hand, targets a single person within a company, chosen strategically based on their role or task, by sending them an email that appears to come from a high-level executive, but which requires confidential information.
Vishing and smishing
These types of social engineering attacks are variants of phishing: vishing means “voice fishing“, i.e. making a phone call to request data.
For example, the criminal could pose as a service technician of a company, who needs the login information. Smishing, on the other hand, uses SMS to obtain the same type of information.
Qui pro quo
Many social engineering attacks make their victims believe they are getting something in exchange for access to data or information.
Scareware works just like that, promising users – for example – an update to fix an urgent security problem, when in fact the threat is the scareware itself.
Contact spamming and email hacking
This type of attack involves breaking into someone’s email or social media accounts to gain access to contacts.
They could then receive a message where the alleged user informs them that they have been robbed or that they have lost all their credit cards, so they ask to send money to a particular account.
Farming and hunting
This type of attack establishes a form of relationship with the predestined victim, to obtain much more information over a longer period of time.
However, it is very risky for the attacker: they are more likely to be detected.
But if the infiltration is successful, it can yield much more information.
How to avoid social engineering attacks
Social engineering attacks are particularly difficult to counter because they are specially designed to leverage people’s natural traits: curiosity, respect for authority, the desire to help a friend.
However, with certain precautions, it is easy to protect yourself.
Here are some tips to help you detect and prevent social engineering attacks:
- Check the source
- Be wary of unsolicited emails and phone calls
- Do not share personal information on untrustworthy sites and, in general, online
- Do not download apps and programs from unverified sources
- Check the URLs of the websites to visit
- Do not open suspicious email attachments and links (PDFs and Office files can also contain executable scripts and viruses)
- Break the chain of deceptions (e.g. by calling the site provider)
- Ask for an identifier
- Use a good spam filter
- Evaluate the plausibility of the information
- Don’t panic
- Secure your devices
For those who work in a company:
- Create security protocols and procedures for sensitive and risky data
- Raise safety awareness among staff
- Test the procedures and penetration test
- Properly dispose of computer waste
- In case of an attack, ask the authorities for help (not everyone knows that social engineering activities are recognized as crimes and punished as such)