Social Engineering like the term suggests refers to a diverse range of activities employed by malicious parties with the aim of luring unsuspecting victims to divulge sensitive information which will impact their online safety and might lead to financial loss.
This tactic has been increasingly employed by malicious parties in recent years, as it is considered as a “low hanging fruit” or a less stressful approach of gaining unauthorized access, as opposed to the high technical barrier required to learning how to hack a machine and the stress of finding and exploiting vulnerabilities.
Social Engineering Techniques
A broad range of techniques are employed in social engineering, some of which I will discuss in this section.
Phishing: This is a variant of social engineering that wields the power of email, phone calls or sms to lure unsuspecting victims to supply sensitive information such as personally identifiable information (fullname, date of birth, sex, id number), credit or debit card numbers, pin, passwords amongst others. An email is typically sent by the malicious party to the target with some tone of urgency which compels the target to either click on an embedded link or reply to the email to open a line of conversation for further interaction.
Spear Phishing: This is a very close variant of the attack technique explained above, but it varies in its execution. Spear Phishing like the word depicts typically has a defined target or sets of targets such as an individual, organization or business. A very good example of this is a malicious party impersonating the Human Resource Department of a company, then sending an email to the employees directing them to click on a link or download a document to view or initiate the payment of their performance bonus, thereby gaining unauthorized access to sensitive information like user credentials through codes embedded in the document. Another variant of this technique is Business Email Compromise (BEC) where malicious parties impersonate the email address of high ranking executives with substantial financial approval rights or vendors working with a particular company.
Clickjacking: This is an interface based attack also called a “UI redress attack”. Users are tricked into clicking things they do not intend to click thereby re-directing them to a false or malicious website or downloading suspicious files which enables the malicious party to take control of the target machine. This attack technique is deployed over the internet on webpages using several opaque frames with a different link layered above a legitimate link, which when clicked performs an action different from the user’s intended action.
Scareware: In this type of attack, users are deceived to believe that the device is infected with a virus and clicking and downloading a particular suggested remedy will enable them to fix the problem. This tactic is deployed via webpages, users are presented with popups displaying text such as “Your device is infected, Install this antivirus to save your device”.
Pretexting: Like the name suggests, (giving a justification of a course of action that is not the real reason). Here, the malicious party establishes trust by impersonating people the target trusts to create a familiar atmosphere where the target drops their guard. Questions around Personally Identifiable Information (PII) are either asked or supplied to confirm the identity of the target before requesting for the exact information needed to carry out their aim.
Preventing Social Engineering
As I established earlier in the article, Social Engineering uses psychological tactics to compel some quick emotional reactions, as it leverages the human sense of desire for quick rewards, urgency amongst others. There are some exact ways to prevent people from falling victims to these act some of which i talk about below
Ensure Antivirus and Antimalware solutions are installed and up-to-date: There are a lot of good antivirus and anti malware solutions that will detect the presence of malwares typically used to gain unauthorized access to personal and sensitive information, so installing these programs serve as a good defense in preventing unwanted acts.
Do not click on any link or download any random attachment: This has now become a chorus sung by security experts, which I will “re-sing”, as a lot of breaches would have been prevented with this simple instruction. When an email is received, before taking any action, review the content of the email, considering things like the sender, the subject, the content, grammatical errors, inspecting the links amongst other things.
Be wary of “too good to be true” offers: With the massive surge in ecommerce, we get a lot of sales offers delivered into our inbox, both legitimate and otherwise. A good way to filter is identifying offers that are “too good to be true”. Like it’s widely said, “if it’s too good to be true, then it’s probably too good to be true”.
The use of Multifactor Authentication (MFA): The use of MFA cannot be overemphasized in order to remain cyber safe. MFA combines the use of two or more authentication variants. It considers the combination of what a user has (token), what a user knows (password or pin) and who the user is (biometrics) in an authentication process.
I trust this simplified article gave you a better understanding of social engineering and how to prevent the same.
The term social engineering has become commonplace in our world today, especially as a lot of our activities both personal and corporate are either carried out on mobile devices or personal computers over the internet. In this article, I will touch base on the pervasive art, the common tactics and ways to avoid falling victim.
Social Engineering like the term suggests refers to a diverse range of activities employed by malicious parties with the aim of luring unsuspecting victims to divulge sensitive information which will impact their online safety and might lead to financial loss.
This tactic has been increasingly employed by malicious parties in recent years, as it is considered as a “low hanging fruit” or a less stressful approach of gaining unauthorized access, as opposed to the high technical barrier required to learning how to hack a machine and the stress of finding and exploiting vulnerabilities.
Social Engineering Techniques
A broad range of techniques are employed in social engineering, some of which I will discuss in this section.
Phishing: This is a variant of social engineering that wields the power of email, phone calls or sms to lure unsuspecting victims to supply sensitive information such as personally identifiable information (fullname, date of birth, sex, id number), credit or debit card numbers, pin, passwords amongst others. An email is typically sent by the malicious party to the target with some tone of urgency which compels the target to either click on an embedded link or reply to the email to open a line of conversation for further interaction.
Spear Phishing: This is a very close variant of the attack technique explained above, but it varies in its execution. Spear Phishing like the word depicts typically has a defined target or sets of targets such as an individual, organization or business. A very good example of this is a malicious party impersonating the Human Resource Department of a company, then sending an email to the employees directing them to click on a link or download a document to view or initiate the payment of their performance bonus, thereby gaining unauthorized access to sensitive information like user credentials through codes embedded in the document. Another variant of this technique is Business Email Compromise (BEC) where malicious parties impersonate the email address of high ranking executives with substantial financial approval rights or vendors working with a particular company.
Clickjacking: This is an interface based attack also called a “UI redress attack”. Users are tricked into clicking things they do not intend to click thereby re-directing them to a false or malicious website or downloading suspicious files which enables the malicious party to take control of the target machine. This attack technique is deployed over the internet on webpages using several opaque frames with a different link layered above a legitimate link, which when clicked performs an action different from the user’s intended action.
Scareware: In this type of attack, users are deceived to believe that the device is infected with a virus and clicking and downloading a particular suggested remedy will enable them to fix the problem. This tactic is deployed via webpages, users are presented with popups displaying text such as “Your device is infected, Install this antivirus to save your device”.
Pretexting: Like the name suggests, (giving a justification of a course of action that is not the real reason). Here, the malicious party establishes trust by impersonating people the target trusts to create a familiar atmosphere where the target drops their guard. Questions around Personally Identifiable Information (PII) are either asked or supplied to confirm the identity of the target before requesting for the exact information needed to carry out their aim.
Preventing Social Engineering
As I established earlier in the article, Social Engineering uses psychological tactics to compel some quick emotional reactions, as it leverages the human sense of desire for quick rewards, urgency amongst others. There are some exact ways to prevent people from falling victims to these act some of which i talk about below
Ensure Antivirus and Antimalware solutions are installed and up-to-date: There are a lot of good antivirus and anti malware solutions that will detect the presence of malwares typically used to gain unauthorized access to personal and sensitive information, so installing these programs serve as a good defense in preventing unwanted acts.
Do not click on any link or download any random attachment: This has now become a chorus sung by security experts, which I will “re-sing”, as a lot of breaches would have been prevented with this simple instruction. When an email is received, before taking any action, review the content of the email, considering things like the sender, the subject, the content, grammatical errors, inspecting the links amongst other things.
Be wary of “too good to be true” offers: With the massive surge in ecommerce, we get a lot of sales offers delivered into our inbox, both legitimate and otherwise. A good way to filter is identifying offers that are “too good to be true”. Like it’s widely said, “if it’s too good to be true, then it’s probably too good to be true”.
The use of Multifactor Authentication (MFA): The use of MFA cannot be overemphasized in order to remain cyber safe. MFA combines the use of two or more authentication variants. It considers the combination of what a user has (token), what a user knows (password or pin) and who the user is (biometrics) in an authentication process.
I trust this simplified article gave you a better understanding of social engineering and how to prevent the same.
Leave a Reply