When you think of cybersecurity vulnerability most people will imagine a security flaw in a system or technology device. What if security vulnerabilities are not technology-specific but can also apply to human behaviors?
Cybersecurity attacks that target flaws in human behaviors are called Social Engineering and it is known to be one of the oldest threat techniques. Lately, Social Engineering has greatly evolved in the technical aspect and been used by hackers to steal sensitive data and user identity information.
In this article, we will look into the details of Social Engineering strategies and common security vulnerabilities driven by our activities and behaviors. Read on to learn what kind of threat strategies are used to target human-based flaws, the mechanism of Social Engineering attacks, and how can we prevent from being harmed.
Social Engineering Definition
The easiest way to think of Social Engineering is as a type of psychological attack. People naturally have an emotional and impulsive aspect that leads to unexpected behaviors. Social Engineering attempts to trick our confidence for the purpose of stealing data, conducting a fraud, and gain access to the unauthorized systems.
Unlike other cybersecurity attacks, Social Engineering does not describe the aspect of physical impacts such as server invasion and system destruction. Therefore, Social Engineering is typically used by combining with other malicious techniques such as Phishing email, Trojan virus, and Spyware.
How does Social Engineering Work?
The tactics used to conduct a Social Engineering attack varies based on the type of target victim, which can be either mass random or specific personal.
Mass Random Attack
Attack method such as Spread Phishing email and Trojan virus upload to public forum falls under this category.
The attack is planned by first creating a fraud scenario that delivers some sort of urgency to the reader. The massage can be, for example, alert the reader that their credit card got potentially hacked and verification requires a response with bank account details.
Another popular fraud scenario can be a limited-time free software promotion that gets posted on a public forum with a link to an executable file contaminated by the Trojan virus.
The scenario is best to be abstracted so that it will attack general people without giving any confusion. What makes mass attack successful is the number of people that attack reaches. For spread phishing, millions of emails will be sent to random end-users regardless of individual or business environment. Similarly, for the Trojan upload strategy, the malicious link will be posted to the most popular forum available to catch as much people's attention as possible.
A personal attack is a strategy that gets planned against a specific person or business. The goal is usually financial fraud, therefore high profile celebrities and revenue growing organizations are common targets.
Social Engineering works most effectively when applied against an individual. This is because people tend to put more trust in situations that contain actual legitimate information. Information such as a home address, bank finance, online account, and online orders can be used to increase the legitimacy of a fraud.
Once the necessary personal information is gathered, a Social Engineering driven fraud scenario will be designed to trick the target. An actual incident reported that email with an identical design to eBay was sent alerting that immediate payment information update is required otherwise an actually existing shipping order will be canceled. When you see legitimate information from a familiar source it becomes very difficult to doubt the situation.
Types of Social Engineering
A phishing attack is the advanced method of Social Engineering attack performed through email, SMS, voice message, web chat, web advertisement, or website that gives a legitimate impression mimicking official business or system designs. Typical phishing messages are structured to deliver some sort of urgency, mostly driven by fear but sometimes an excitement, with an intention to steal target's sensitive information.
Phishing might impersonate the message source as a globally known business informing about an order, a lawyer with lawsuit content, a bank for credit card verification, or even as the government. In most cases, phishing will try to steal a victim's information by using the term "verify" to give victims the feel that nothing definite or critical is going to be performed.
Almost similar to phishing, bating orients the trick strategy by giving users an opportunity to gain something exciting. Bate can come in both physical and digital form. Physical bait includes game disk, software, or storage drive that is contaminated by a virus. Digital bait could be a free movie ticket or promo code that requires downloading the Trojan file to your computer. Either way, the user should expect to receive Malware instead of the "bait" prize that was promised.
Quid Pro Quo
Quid Pro Quo translates to "Something for Something" in Latin. This strategy tries to steal users' information or money in exchange for service. For example, a hacker will reach out to a user to provide technical support that requires a user to hand over their login account in exchange for service. Another example may be a business startup discount offer providing $1,000 insurance for $100. As people say, if it sounds too good to be true, it probably is Quid Pro Quo.
Tailgating, also known as piggybacking, is a method to gain access to an unauthenticated area by closely following the authenticated persons. If technical support insists you to log in for him so that he can do his job, that may lead to hacker tailgating you to access or update your account. In a more corporative scenario, if a food delivery person asks you to open the locked gate and you let him in without verifying his identity, you might get tricked by tailgating and end up encouraging criminal activity. Always verify the identity of the person before giving any access or authorization.
What Harm Can Social Engineering Cause?
There has been an enormous amount of Social Engineering attack incidents reported every year.
The three main types of harms caused by Social Engineering is identity theft, financial fraud, and Malware injection.
Our individual identities are considered highly valuable from hackers' perspective, which motivated hackers to create a variety of ways to steal identity information from people. Ironically, the easiest, successful, and accurate method to steal people's identity turns out to be by directly asking.
The identity information that attackers targets are social security number, credit card number, driver license, account username and password, phone number, home address, and more. This information will be either be used for further financial fraud or get sold in the hackers' community.
In some cases, attackers will simply ask victims to reply to their message by including necessary identity information. This is a very popular way as it can be done through email, SMS, or even through phone calls. Another way is to ask victims to open an attached weblink which typically brings to a form page that looks like a legitimate business.
Since the primary goal of most Social Engineering attackers is to make revenue through threats, they also invented strategies to directly steal money using Social Engineering.
This is usually done by first creating a malicious website that looks exactly like an online transaction page from Paypal or eBay. Next attackers will send messages to the victim by including the weblink to the transaction page with a message that insists on the receiver to complete the online payment. The message will typically mention a pending payment or credit card update which makes victims voluntarily send the money transaction.
There are also incidents that request victims to snail mail a check or run a money order. Social Engineering attackers will use any available money transaction method that best fits the scenario that they create.
Injecting malware to the victim's device using a Social Engineering message is also a very common strategy. In this case, the Malware file will be either attached to the message or accessible through the weblink. For either way, the Malware infection chance increases with the Social Engineering driven message that tricks victims.
The Trojan strategy enhances this process by allowing Malware to be injected seamlessly without being noticed by the victims. This way there will be less chance the victim will take action toward Malware removal, thus will lead to longer Malware lifespan. Common Malware injected through Social Engineering is Computer Worms, Spyware, and Emotet.
How to Protect Yourself from Social Engineering Attacks
The nature of a Social Engineering attack is to trick people without giving the feeling that they are being tricked. People who think that they won't be tricked are exactly the perfect target of Social Engineering. To avoid becoming a victim, it is important to acknowledge the characteristics of attacks and follow the behavioral tips before making any further actions.
Keep Calm: Relax, slow down, and remain calm. The first thing hackers want you to feel is the urgency, so don't let them take the lead. There is a high chance that this is all made up and nothing critical has happened.
Check for Sentence Mistakes: A message from a legitimate business has less or none flaws. To confirm it is from a valid source, check for mistakes in the sentence. This can be a misspelling, incorrect grammar, awkward wording, or even informality.
Research and Validate: Research the legitimacy of the incident is the best way to validate the situation. Call the technical support number to confirm the details. Online search the address, title, and weblink to see if there are any alerts regarding your case.
Ask for Second Opinion: Explain your friend, co-worker, or an expert about the situation. Their feedback might provide you valuable information and help you understand the situation better. More importantly, talking to someone will help you calm down and avoid making impulsive actions.