According to Cert-Uk definition, Social Engineering refers to the manipulation of individuals in order to induce them to carry out specific actions or to divulge information that can be of use to an attacker. Social Engineering preys on common aspects of human psychology such as curiosity, courtesy, greed, gullibility, thoughtlessness, shyness and apathy. The main goal of social engineering is to gain access to otherwise inaccessible systems or information by using psychological manipulation to trick users.
Social engineering attacks happen in one or more steps and they do not require sophisticated knowledge of cybersecurity. The Social Engineering Life Cycle starts from the Investigation of identifying the victim’s, gathering information and selecting attack methods via phishing emails or calls. The second process is called a Hook which means deceiving the victim(s) to gain a foothold by engine the target and taking control of the interaction. For example in phishing email, when an attacker engages a victim with the fake job promotion in the company and accepting it by clicking on the malicious link. The third process is called a Play in which the attacker executes the attack and gets the victim’s information. Also, the attackers send the ransomware attacks when the victim’s click on the malicious link and it spreads quickly all over the network of the victim. The last step is called an Exit which means after the successful attack by the Social Engineer, they close the interaction by removing all traces of malware and covering tracks so that they won’t get caught.
It totally depends on the human error, even though there is anti-malware, or any software to protect the system, Social Engineering attacks still could happen if the user is not trained properly about the attacks. It has five different techniques including Baiting, Scareware, Pretexting, Phishing, and Spear Phishing.
Baiting attacks use a false promise to pique a victim’s greed or curiosity. These will usually happen when it’s too good to be true or with an urgent warning. The mass form of the baiting is the use of ‘free’ Wifi hot spots in public areas such as coffee shops, airports, and hotel rooms. Any data sent over this connection can be intercepted by the attacker, or called a ‘man-in-the-middle’ attack. The attacker may also be able to remotely install malware on the victim’s system which allows a range of further exploits to be carried out.
The second form of the Social Engineering attack is by Scareware. In this method, victims are bombarded with false alarms and fictitious threats. A common Scareware example is when the web displays such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected.
Phishing is the most popular social engineering attack type and it can be in different forms via email and text messages. Phishing campaigns aimed at creating a sense of urgency, curiosity, or fear in victims. Once the victim falls for the phishing scam and clicks on the malicious link, the sensitive data of the victim’s will get exposed and it leads to a ransomware attack too.
Spear Phishing is when an attacker pretends to be from the HR department and sends formal emails to employees for the new payment forms and the email with every word and signatures looks exactly the same that used to send it to employees before. This type of attack is hard to detect and the employees easily fall for this attack.
Social Engineering Prevention
Social engineering is one of the most prolific and effective means of gaining access to secure systems and obtaining sensitive information. It may require technical and social skills. As a result, the best defense is to educate users on techniques used by social engineers, and raising awareness. Encouraging the use of multi factor authentication, and keeping the software and system updated are other best defenses that could be used and encouraged by the users to protect from the Social Engineering attacks.