What is Social Engineering? How To Prevent it
Social Engineering is a kind of psychological attack that exploits human behavior or our cognitive biases rather than technical hacking techniques, to gain access to buildings, systems, or data.
It is the term used for a broad range of malicious activities accomplished through human interactions.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Social engineering tactics usually work as a cycle:
- First, an attacker gathers background information — also known as profiling — and chooses a point of entry.
- Next, the attacker initiates contact and establishes a connection.
- Once the connection is made and the attacker is perceived as a trusted source, the attacker exploits the target.
- After the sensitive information is gained, the attacker disengages and disappears.
Types of social engineering attacks online:
1. Baiting:
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.
Sometimes it’s a physical item, like a USB flash drive left in a public place labeled “confidential” in order to spark someone’s curiosity. Once the flash drive is inserted into the victim’s computer and opened, malware infiltrates and infects the host device as well as any connected servers.
Baiting can also take place online, with something like a movie download used as bait. Once the file is downloaded and opened, the hidden malware gains access to the computer.
2. Scareware:
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself.
Scareware is also distributed via spam email that doles out bogus warnings or makes offers for users to buy worthless/harmful services.
3. Spam emails:
You might think of spam simply as a tab in your email inbox, but not all spam emails are successfully filtered out of sight. Well-crafted spam emails can slip past email server screenings and into your inbox, where they can appear like a credible message.
Social engineering emails usually try to entice you into clicking links to fake websites, downloading malicious attachments, or responding with the sort of sensitive information the sender is looking for. Reading up on email security can help prepare you to spot the difference between sneaky spam mail and trusted sources.
4. Pretexting:
Pretexting social engineering attacks involve inventing a scenario, or pretext, to target the victim. The attacker usually impersonates someone authoritative who can request information. An effective pretexting attack requires background research and preparation on the attacker’s end. They need to be able to accurately answer the victim’s questions and appear legitimate.
A common example of pretexting is when an attacker impersonates someone from a company’s IT department. The attacker reaches out to an employee within the company, identifies themselves, and requests remote access to their computer or their login credentials to update a piece of software.
5. Phishing:
One of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity, or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.
The email or message usually directs the victim to a fake landing page, complete with correct company graphics. The page asks for login verification or requests a password change due to suspicious activity.
If the victim complies, the attacker gains access to this login data and can use it to try to log into other websites as well, depending on how often the victim uses different passwords for different sites.
6. Spear phishing:
Social engineering phishing scams are often sent to hundreds of potential victims, hoping that someone will click the link. But sometimes the attacker does background research on their potential victims, narrowing it down to a more specific group of people or even one person.
A spear-phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.
Social engineering examples
On the phone:
A social engineer can gather your information through call pretending to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).
In the office:
“Can you hold the door for me? I don’t have my key/access card on me.” How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
Online:
Social networking sites have made social engineering attacks easier to conduct. Today’s attackers can go to sites like LinkedIn and find all of the users that work at a company and gather plenty of detailed information that can be used to further an attack.
Social engineering prevention
- Don’t open emails and attachments from suspicious sources: If you are not sure about the sender, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site.
- Implement multi-factor authentication: Using two-factor authentication can keep you out of the low-hanging-fruit group of internet users that hackers love to target. Two-factor authentication requires you to verify your identity in two separate places, such as on your computer and your phone, or even with a physical security key.
- Train and train again when it comes to security awareness: Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyber threats. Remember, this is not just about clicking on links.
- Keep your antivirus/antimalware software updated: Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.
Join Telegram Group of Daily Jobs Updates for 2010-2023 Batch: Click Here
If You Want To Get More Daily Such Jobs Updates, Career Advice Then Join the Telegram Group From Above Link Also Press Red Bell Icon At The Left Side of Page To Subscribe our Updates.
TCS NQT 2021 Registration has been Started For Across India: Click here
Accenture Hiring Freshers of Package 4.5 LPA Across India: Click here
Why You’re Not Getting Response From Recruiter?: Click here
Top 5 High Salary Jobs in India IT Sector 2021: Click here
Whats is the Difference Between a CV and a Resume?: Click here
How To Get a Job Easily: Professional Advice For Job Seekers: Click here
A Leadership Guide For How To Win Hearts and Minds: Click here
How To Improve Communication Skills with 12 Strategy: Click here
Career Tips for Freshers: Top 7 Hacks To Land Your Target Job: Click here
Which Graphics Processor is Best for Gaming 2021?: Click here
Feel Like Demotivated? Check Out our Motivation For You: Click here
Top 5 Best Mobile Tracking App in 2021 For Mobile & PC: Click here
5 Proven Tips For How To Look Beautiful and Attractive: Click here
Home Workouts During The Lockdown For Fitness Freaks: Click here
What is Big Data Analytics? Does it Require Coding?: Click here
