Professional Documents
Culture Documents
As technological defenses become more robust, cyber criminals are increasingly using social
engineering techniques to exploit the weakest link in the security chain: people
online
offline.
2. Vishing
3. Pretexting
4. Dumpster diving
5. Shoulder surfing
6. Whaling
7. BEC
8. Pharming
9. Baiting
12. Tailgating
13. Scareware
1. Phishing:
Phishing is the most common type of social engineering attack, typically using spoofed email
addresses and links to trick people into providing login credentials, credit card numbers, or other
personal information.
Social engineers still use phishing techniques to gather information about a target. They are
keen to exploit emotions such as fear and excitement, coupled with some pressures such as
urgency to get the maximum rate of compliance. Currently, phishing and spear phishing
attacks have become advanced as attackers have the ability to perfectly clone reputable
websites and use them to steal a client's data. The ability to shorten the URLs of these
websites is also helping attackers avoid detection since users would be alarmed if they
noticed some difference between the legitimate site URLs and those of the links sent by
attackers. Attackers are using clones of sites such as online banking systems and social
media accounts to rake out a lot of data from unsuspecting targets.
Example:
An email was sent by an attacker saying that there has been a breach to your PayPal account and
your password needs to be changed urgently accompanied with a link to change the password,
you would easily comply. The link would lead you to a PayPal look-alike where you would be
told to type your current password and a new password. Upon submitting this information, your
current password would be sent to the attackers. They will have gotten very sensitive information
from you in a very short period of time by exploiting your fear of losing money and then
pressuring you to respond quickly.
2. Vishing
This technique is based on the old-fashioned way—a phone call. This type of social engineering
is known as vishing. They recreate the interactive voice response (IVR) system of a company.
They attach it to a toll-free number and trick people into calling the number and entering their
details.
Example:
The cybercriminal may drain the victim’s bank account, commit identity theft, and use the
victim’s credit card details to make unauthorized purchases, and then email the victim’s
colleagues in hopes of tricking someone into giving up confidential work information.
3. Pretexting
Pretexting is another form of, early stage of more complex social engineering attacks where
attackers focus on creating a good pretext, or a fabricated scenario, typically by creating a
backstory that makes them sound trustworthy, that they can use to try and steal their victim's
personal information.
Example:
The most common example of a pretexting attack is when someone calls an employee and
pretends to be someone in power, such as the CEO or on the information technology team.
The attacker convinces the victim that the scenario is true and collects information that is sought.
4. Dumpster diving
Dumpster diving is the practice of sifting through the trash of private individuals or companies to
find discarded items that include sensitive information that can be used to compromise a system
or a specific user account.
One of the most infamous examples of dumpster divers is Jerry Schneider, who started a
wholesale telephone equipment company while in high school in 1968. The idea came from the
dumpster, specifically Pacific Telephone’s trash, that included order and delivery system
documents, manuals, and invoices. Needless to say, Schneider got in trouble and served 40 days
in a security facility. He then founded a security consulting company.
5. Shoulder surfing
Shoulder surfing refers to using direct observation techniques to get information, such as looking
over someone's shoulder at their screen or keyboard.
Example:
At ATMs, a crime in which a suspect watches over your shoulder as you punch in your PIN
number.
6. Whaling
Whaling is another common variation of phishing that specifically targets top-level business
executives and the heads of government agencies.
Snapchat is no stranger to cyberattacks, but in 2016 the social media platform yet again found
itself at the center of a data breach when an employee was tricked into releasing payroll
information about some of its employees. In the attack, a member of the payroll team received
an email from someone claiming to be Snapchat CEO Evan Spiegel, who made a request for
employee payroll information. The data was duly handed over to the attacker and the information
was leaked shortly after.
8. Pharming
Example:
An attacker can use malicious code to monitor user web activity to trigger a redirect to a spoofed
banking site. When a user enters their bank domain into the browser address bar, the pharming
code hijacks the user’s activity and redirects the browser to an attacker-controlled website with
the same look and feel like the official bank account. Users rarely look at the domain in the
browser’s address bar, so it’s an effective attack to steal user financial data, including their
credentials.
9. Baiting
Enticing victims into inadvertently compromising their security, for example by offering free
giveaways or distributing infected devices.
Example: High flagship mobiles will be given catchy advertisement for low price but its worthy
will be 20,000. They will sell the mobile around 8000 to 10000.
10. Smishing/SMS phishing
Text messages that purport to be from legitimate entities are often used in combination with
other techniques to bypass 2FA (two-factor authentication). They might also direct victims to
malicious websites on their phones.
Quid pro quo attacks rely on people’s sense of reciprocity, with attackers offering something in
exchange for information. (In Latin, ‘quid pro quo’ means ‘something for something’.)
12. Tailgating
A physical security attack that involves an attacker following someone into a secure or restricted
area, for instance while claiming to have mislaid their pass.
Example:
A person impersonates a delivery driver and waits outside a building. When an employee gains
security’s approval and opens their door, the attacker asks that the employee ‘hold the door’.
Thereby gains access to the company through an authorized person.
13. Scareware
A form of malicious software – usually in the form of a pop-up that warns that your security
software is out of date or that malicious content has been detected on your machine – that fools
victims into visiting malicious websites or buying worthless products.
Example:
The legitimate-looking popup banners appearing in your browser while surfing the web,
displaying such text such as, “Your computer may be infected with harmful spyware programs.”
It either offers to install the tool (often malware-infected) for you, or will direct you to a
malicious site . There you will get a message that a mallcious content has been detected and
sometime our mobile will vibrate when we enter to such sites. It will let us to download a
software which is available in that site.
How to Prevent a Social Engineering Attack:
Social engineering represents a critical threat to your organization’s security, so you must
prioritize the prevention and mitigation of these attacks as a core part of your cybersecurity
strategy. Preventing a social engineering attack requires a holistic approach to security that
combines technological security tools with comprehensive training for staff and executives.
Your first line of defense against a social engineering attack is training. Everyone in your
organization should know how to spot the most common social engineering tactics, and they
should understand the psychological triggers that scammers use to take advantage of people.
Human based attacks
Sasse and Flechais [60] identified human factors that can impact security governance,
includ-ing people: having problems using security tools correctly; not understanding the
importance of data, software, and systems for their organisation; not believing that the
assets are at risk (i.e., that they would be attacked); or not understanding that their
behaviour puts the system at risk. This highlights that risk cannot be mitigated with
technology alone, and that concern assessment is important.
If risk perception is such that there is a widely held view that people do not believe their
assets will be attacked (as noted by [60]), despite statistics showing cyber security
breaches are on the rise year-on-year, then there is likely to be a problem with the
cyber security culture in the organisation. Educating people within an organisation is
vital to ensuring cultural adoption of the principles defined in the risk management plan
and associated security governance policy. People will generally follow the path of least
resistance to get a job done, or seek the path of highest reward.
As Sasse and Flechais note, people fail to follow the required security behaviour for one
of two reasons: (1) they are unable to behave as required (one example being that it is
not technically possible to do so; another being that the security procedures and
policies available to them are large, difficult to digest, or unclear) , (2) they do not want
to behave in the way required (an example of this may be that they find it easier to work
around the proposed low-risk but time consuming policy; another being that they
disagree with the proposed policy).
Weirich and Sasse studied compliance with password rules as an example of compliance
with security policy [61] and found that a lack of compliance was associated with people
not believing that they were personally at risk and or that they would be held
accountable for failure to follow security rules. There is thus a need to ensure a sense of
responsibility and process for accountability, should there be a breach of policy. This
must, of course, be mindful of legal and ethical implications, as well as the cultural
issues around breaching rules, which is a balancing act.
Risk management decisions will be taken to mitigate threats identified for these
processes, and these should be linked to the security policy, which will clearly articulate
the required actions and activities taken (and by whom), often along with a clear
timeline, to mitigate the risks. This should also include what is expected to happen as a
consequence of this risk becoming a reality.
Human factors (see the Human Factors Knowledge Area, and security culture are
fundamental to the enactment of the security policy. As discussed, people fail to follow
the required security behaviour because they are unable to behave as required, or they
do not want to behave in the way required.
A set of rules dictating how security risk management should operate will almost
certainly fail unless the necessary actions are seen as linked to broader organisational
governance, and therefore security policy, in the same way HR and finance policy
requires. People must be enabled to operate in a secure way and not be the subject of a
blame culture when things fail.
It is highly likely that there will be security breaches, but the majority of these will not
be intentional. Therefore, the security policy must be reflective and reactive to issues,
responding to the Just Culture agenda and creating a policy of accountability for
learning, and using mistakes to refine the security policy and underpinning processes –
not blame and penalise people.
Baiting:
As its name implies, baiting attacks use a false promise to pique a victim’s greed or
curiosity. They lure users into a trap that steals their personal information or inflicts
their systems with malware.
The most reviled form of baiting uses physical media to disperse malware. For example,
attackers leave the bait—typically malware-infected flash drives—in conspicuous areas
where potential victims are certain to see them (e.g., bathrooms, elevators, the parking
lot of a targeted company). The bait has an authentic look to it, such as a label
presenting it as the company’s payroll list.
Scareware:
Scareware involves victims being bombarded with false alarms and fictitious threats.
Users are deceived to think their system is infected with malware, prompting them to
install software that has no real benefit (other than for the perpetrator) or is malware
itself. Scareware is also referred to as deception software, rogue scanner software and
fraudware.
Pretexting:
Here an attacker obtains information through a series of cleverly crafted lies. The scam
is often initiated by a perpetrator pretending to need sensitive information from a
victim so as to perform a critical task.
dates, bank records and even security information related to a physical plant.
Phishing:
As one of the most popular social engineering attack types, phishing scams are email
and text message campaigns aimed at creating a sense of urgency, curiosity or fear in
victims. It then prods them into revealing sensitive information, clicking on links to
malicious websites, or opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy
violation requiring immediate action on their part, such as a required password change.
It includes a link to an illegitimate website—nearly identical in appearance to its
legitimate version—prompting the unsuspecting user to enter their current credentials
and new password. Upon form submittal the information is sent to the attacker.
Spear phishing:
This is a more targeted version of the phishing scam whereby an attacker chooses
specific individuals or enterprises. They then tailor their messages based on
characteristics, job positions, and contacts belonging to their victims to make their
attack less conspicuous. Spear phishing requires much more effort on behalf of the
perpetrator and may take weeks and months to pull off. They’re much harder to detect
and have better success rates if done skillfully.
TECHNOLOGY BASED ATTACKS
Some social engineering attacks use technology to target people
and weak security measures.
Goals are obtaining personal information , identify theft ,
execution of malware on systems , password and credential
theft.
Wide variety of techniques and technologies used that are
pervasive in every day’s life.
A technology-based approach tricks a user into believing that he
is interacting with a ‘real’ computer system and convinces him
to provide confidential information.
Technologies can be used alone or combination with each other
to lend credibility and depth to the attack – computer , mobile
phones , VoIP , fake ATMs , false login screens etc…
Technologies involved:
Phishing
Spear fishing
Baiting
Smishing etc…
May use malware – Trojans , virus , fake apps.
For example, the user will get a popup window informing him
that the computer application has had a problem and needs
immediate fixing.
It will tell the user to reauthenticate a computer application to
proceed. As the user proceeds to reauthenticate, the user
provides his ID and password on the popup window itself. Once
they enter the necessary credentials for authentication, the harm
is done.
The hacker or the criminal who created the popup window now
has access to the user’s ID and password and can, therefore,
access their network and computer system.
TYPES OF SOCIAL ENGINEERING ATTACKS
Tailgating
Another social engineering attack type is known as tailgating or
piggybacking.
Trojan horses
This is one of the most predominant methods currently used by
hackers.
Spear phishing
Spear phishing requires the attacker to first gather information
on the intended victims, but the success rate is higher than in
conventional phishing. If a phishing attack is aimed at high-
profile targets in enterprises, the attack is referred to as whaling.
Quid pro quo
Similar to baiting, quid pro quo attacks promise a benefit in
exchange for information.
Smishing
• SMS + Phishing . It is a type of phishing attack that uses
text messages (SMS) in order to deceive recipients.
• Example: a message received that suspicious activity has
taken in your account . So to stop this. send your account
information to verify identity.
Baiting
• It is an attack which uses the physical media relies on the
curiosity or greed of the victims. As the name suggests,
baiting attacks harness a false promise to disorient a
victim’s greed or hunger. They trap users to steal their
personal information or infect their systems with malware.
• The most common type of baiting involves the usage of
physical media to disperse malware. For example,
criminals leave the bait – typically malware-infected flash
drives – in areas where there is a high probability of the
potential victims seeing them. These areas include parking
areas, elevators, washrooms, etc. The bait has a specific
face value that can trick the victim into believing its
authenticity. The external look of the bait can have a label
that discloses an payroll list.
• Potential victims are generally convinced by the face value
of the bait and, in turn, may insert it into a work or home
computer system. This results in direct infection of the
victim’s computer as the malware gets installed on the
victim’s device dynamically.
• Baiting can be carried out in the physical as well as the
online world, where online baiting consists of providing
enticing ads that redirect users to malicious sites or
motivate users to download a malware-infected computer
application.
Reverse social engineering
• Reverse social engineering is an attack where usually trust
is established between the attacker and the victim. The
attackers create a situation in which the victim requires
help and then present themselves as someone the victim
considers can both solve their problem and trustworthy
enough to receive privileged information. Of course, the
attackers try to choose an individual who they believe has
information that will help them.