Social Engineering Attacks: The What, Why, and How.
There are many different cyberattacks, but there’s one that focuses on the connections between people to convince victims to disclose sensitive information. They are called social engineering, or SE, attacks, and they work by deceiving and manipulating unsuspecting and innocent internet users.
SE attacks are based on gaining access to personal information, such as logins to social media or bank accounts, credit card numbers, or social security numbers. These attacks can be conducted in person, over the phone, or on the internet. They can target an individual person or the business or organization where an individual works.
Sometimes, social engineering cyberattacks trick the user into infecting their own device with malware. This enables the hacker to control the victim’s device, and use it to access other devices in the network and spread the malware even further.
Successful cyberattacks occur when hackers manage to break through the various cyber defenses employed by a company on its network. It is much easier for hackers to gain unauthorized entry via human error than it is to overcome the various security software solutions used by organizations.
That’s what makes SE attacks so devastating—the behavior or mistakes of employees are impossible to predict, and therefore it is much harder to prevent SE attacks. SE attacks are conducted in two main ways: through the internet, mainly via email, or deceiving the victim in person or on the phone. Both types of attacks operate on the same modus of gathering information and insights on the individual that bring down their psychological defenses and make them more susceptible.
Let’s all work together during National Cybersecurity Awareness Month to #BeCyberSmart. It starts by understanding how SE attacks work and how to prevent them.
Phishing Attacks via Email
You may have heard of “phishing emails.” These are social engineering attacks that aim to gather sensitive information from the victim or install malware on the victim’s device via a deceptive email message. It can also be carried out with chat messaging, social media, or text messages. The most common attack uses malicious links or infected email attachments to gain access to the victim’s computer.
The best way to reduce the risk of falling victim to a phishing email is by understanding the format and characteristics typical of these kinds of emails.
1. Subject line: The email subject line is crafted to be intimidating or aggressive. Scaring victims into acting fast is one of the tactics employed by phishers. Here are some examples of common subject lines used in phishing emails:
- Are you available?
- Payment Overdue
2. Email address of the sender: If you notice that the sender’s email address is registered to one service provider, like Yahoo, yet the email appears to come from another, like Gmail, this is a big hint that the email is suspicious. You can also run a check on the domain name of the sender email to rule out whether it is malicious or not. There are several services that do this for free:
- Norton Safe Web (https://safeweb.norton.com)
- IsItPhishing (https://isitphishing.org)
- Phishtank (https://www.phishtank.com)
- VirusTotal (https://www.virustotal.com)
- AbuseIPDB (https://www.abuseipdb.com)
- Kaspersky VirusDesk (https://virusdesk.kaspersky.com)
3. Time and date the email was sent: This is a good indicator of whether the email is fake or not. If the email is supposedly from your bank or a company, was it sent during work hours and on a workday? Companies don’t send out business emails at midnight or on public holidays, so this is a good way to filter suspected phishing attempts.
4. Assess the content of the email: Hyperlinks included in the email should be logical and authentic. You can check the links by hovering with your mouse over the hyperlink. This will display the actual URL without you needing to click on it.
A phishing attack is not just about the email format. It is also about using different tricks and techniques to deceive the victim. Here are some real-world cases about how SE attacks are carried out against companies and individuals:
- Phishers sometimes pose as trustworthy entities, such as a bank, to convince the victim to give up their personal information. This most commonly occurs when the victim clicks on a malicious link in the body of the email, leading to a fake landing page designed to mimic the authentic website of the entity. Once on the fake site, the victim enters or updates their personal data, like a password or bank account details.
The cybercriminal can use this information to steal funds, purchase goods, or blackmail the individual. It can also be used to instigate a broader attack on the individual’s organization, for example, in the case that employee login details are breached. Another way that phishing attacks work is by using the attack to install a keylogger. This is silent software that records the keys you hit on your keyboard, without realizing you are being monitored. This reveals sensitive data to the attacker, like passwords or credit card details.
- When launched against an enterprise, phishing attacks can be devastating. Phishing attacks are the main way that Advanced Persistent Threat (APT) attacks are carried out. These types of attacks use phishing emails to open an entry gateway that bypasses the security defenses of large networks. Once inside, the hacker can infect the entire network with ransomware, or even gain unauthorized entry into closed areas of the network.
How Phishing Hurts Businesses
Although the internet is the number one choice for launching SE attacks, there are still many other ways that would-be hackers try to gather confidential information that can help them breach networks and systems. Here are some examples:
- Dumpster diving: Hackers try to gather information from physical documents and old computers that have been disposed of in the trash. For example, documents that have not been shredded may contain important information, such as user lists or system manuals, while old computers may contain data that was not completely wiped from the hard drive, enabling hackers to access potentially sensitive information.
- Role-playing: This attack involves a hacker pretending to be an authorized user in order to get other users to disclose their passwords or login details. For example, a hacker could pose as a member of the IT team of the victim’s company and trick them into providing sensitive information.
- Keyloggers/Trojan horses: In this type of SE attack, the hacker manages to install some kind of malicious monitoring software on the victim’s device without them being aware of it. For example, the hacker could provide an email attachment or some sort of freeware, such as a screensaver or game, which the user downloads onto their computer. This installed software now tracks everything the user is doing on the computer and sends it to the hacker. This enables the hacker to effectively spy on the victim, and gain information to enable them to impersonate the user or gain unauthorized entry to systems and networks.
- Open-source intelligence (OSINT): This SE attack is when a hacker gathers information about the intended targets from sources that are available to the public online. They use this intelligence to customize a cyberattack, whether on an organization or an individual.
How to Prevent Phishing Attacks
- Organizations can provide training and awareness programs that help employees understand the risks of phishing and identify potential phishing attacks.
- Never send emails containing sensitive information about work or your personal life, particularly confidential information such as bank account numbers or login details.
- If you have any inkling of suspicion, don’t click on the links contained in an email, and check them out to assess their safety.
- Make sure to use a secure connection with an SSL certificate to access your email.
- Never enter your email account on public or open WiFi systems. If you need access when you’re in public places, install a VPN, and rely on that for anonymity.
- Ignore, report, and delete spam. Never, ever reply to a spam email.
- Never open email attachments sent from an email address you don’t recognize. It is good practice to be cautious of all email attachments.
- Make sure to have the HTML in your email client disabled. This will stop code in emails you receive from being executed. The major email providers, such as Outlook and Thunderbird, have the HTML set to disabled by default.
- Never publish your personal email addresses on the internet.
- Make sure all your passwords are complex and strong. Whenever possible, use double authentication.
- Don’t use email services that are free for critical tasks. These include companies such as Hotmail or Gmail.
No More Weak Links
Social engineering attacks take advantage of human nature to attempt to illegally enter networks and systems. Although people are the weakest link in the cybersecurity chain, education about the risks and consequences of SE attacks can go a long way to preventing attacks and is the most effective countermeasure you can deploy.
Cybersecurity tactics and technologies are always changing and developing. Learning about the applications being used in the cyberwar is critical, but it is not out of reach. If you come from a professional background in IT, or if you are simply curious to find out more about a career in cybersecurity, explore our Cyber Defense Professional Certificate Program, a practical training program that will get you on the road to a prolific career in the fast-growing cybersecurity industry. Don’t wait for Cybersecurity Awareness Month to be over before starting your path towards a more secure life online.