In the information security domain, social engineering is a cyberattack in which the attacker manipulates human psychology and tricks the user into bypassing traditional security measures as well as revealing confidential information. This type of attack focuses on effective human interaction to deceive the targeted user. Social Engineering is an extremely popular attack vector since exploiting human weakness is easier than exploring a security vulnerability in a system.
Steps involved in a Social Engineering Attack:
Any social engineering attack involves four distinct stages:
- Delivery of the attack
- Covering the tracks
In the first phase, the attackers spend their time finding as much information about the victim as possible to study whom they are targeting. They will analyze the digital footprints and social media profiles to collect relevant data. Then, the attacker will use this personal information to carry out personalized attacks.
In the “Deception” stage, the goal of the attacker is to find a hook that can be used as a potential entry point. For example, the attacker has found out that a particular user is extremely fond of online shopping via his or her social media profile. Now the attacker can spam an email from a renowned brand and chronicle an attractive email offering discounts to lure the victim into clicking a link.
Once the link has been clicked, now it’s time for the actual attack to take place. While the link directs the victim to any fake site, the attacker hijacks his system, installing malware or performing any other malicious action. By the time the user realizes he has been deceived, it’s all too late.
The last phase of a social engineering attack is to retreat while leaving behind as little evidence as possible. By using tactics like obscurity, obliteration, and intentional confusion, the attackers make sure that they have covered their tracks before leaving.
Types of Social Engineering Attacks:
Phishing: It is one of the most common social engineering attacks that is becoming more popular with each passing year. Phishing happens via any mode of communication between the attacker and victim; however, email phishing is the most common type. A scammer might send you an email claiming to be your friend or relative requesting you to fill out a form or download the attachment. As soon as you perform the said actions, your system is compromised. The most high-profile cyberattack in the recent past was a phishing attack in which Twitter employees were tricked into giving the attacker access to the company’s internal tools.
Spear Phishing: It is a kind of phishing attack in which a specific individual or organization is targeted.
Whaling: In this type of spear phishing attack, a specific high-profile person, like the company CEO or CTO, is the target. Since this “big fish” has access to accounts of the employees and other secret financial information of the company, an attacker deceiving such an individual can prove detrimental to the organization.
Baiting: Another common attack vector is the attacker leaving a virus-infected physical device, like a flash drive or a portable hard drive, where it is most likely to be found by someone. As soon as the victim inserts it into his system, malware is installed, and the security is compromised.
Vishing: Have you ever received a phone call from a person claiming to be a representative of your bank asking for secretive information? This is exactly how vishing works. This attack involves the use of social engineering tactics over the mobile phone to obtain the victim’s personal or financial information.
Smishing: It is a variation of vishing i.e., social engineering attack that takes place via text messages instead of a voice call.
Tailgating: This is a type of attack in which an authorized person allows an unauthorized person access to a restricted site, security-sensitive device, or software. The unauthorized person then proceeds to install malware or embed malicious code that puts the entire network at risk.
Scareware: In this social engineering attack, the hackers make the target believe that their system is infected and offer an easy solution. The victim is frightened and convinced that clicking this pop-up or link will remove the virus from his system. As soon as that pop-up is clicked, the system is hijacked.
Honeytrap: In this social engineering attack, the attacker makes use of dating apps or social media profiles to engage in a romantic conversation with the target. Once trust is established, the attacker convinces the victim to send gifts, bitcoins, or share sensitive information. Online dating is dangerous, and one should be extra careful while sharing information with strangers.
Dumpster diving: This attack is exactly what the name suggests: searching a company’s dustbins or trash to find out any relevant information such as computer passwords, financial transaction details, etc. to target the company or induvial.