Many people think social engineering is about deceiving people to get information or tricking them into stealing something from them, which is wrong.
Social engineering has many definitions, but this is one of the most perfect:
"The act of manipulating a person to take any action that may or may not be in the target's best interest."
Social engineering attacks happen in one or more steps. First, the attacker explores the intended victim to gather necessary background information, such as weak security protocols and potential entry points needed to make the attack easier.
Then, the attacker moves to get the victim's trust and provide stimuli for subsequent actions that break security practices, such as granting access to critical data or revealing sensitive information.
Social engineering is among the top dangerous attack vector that can cause much damage to people, companies, and others.
It is easy to get rid of it by being cautious and not talking to strangers about sensitive information. These mitigations are tremendous, but the attackers know and design their plan to succeed at your error.
##1. Social Engineering Techniques Social engineering comes in different forms and can be carried out anywhere involving human interaction. However, the most common forms of digital social engineering assaults are the following.
Baiting attacks use a false promise to reward to trap the victim's curiosity or greed. Then, they tempt users into a trap that steals their personal information or imposes their systems with malware. Most form of baiting uses physical media like flash drives to distribute malware.
For example, attackers leave the bait typically malware-infected flash drives—in conspicuous areas where potential victims are sure to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). In addition, the bait has an authentic look, such as a label presenting it as the company's payroll list or logo.
Victims pick up the flash drive out of curiosity and insert it into a home or work computer, which causes automatic malware installation on the system. Baiting scams can be performed outside the physical world. Online forms of baiting consist of enticing online ads while surfing the internet that leads to malicious sites or encourages users to download a malware-infected application.
Scareware involves victims being loaded with false alarms and fictitious threats. Users are confused into thinking their system is infected with a virus prompting them to install software with no discernible benefit or malware. Scareware is also called deception or rogue scanners.
A typical scareware example is the legitimate-looking popup banners appearing in your browser while surfing the web, displaying text such as, "Your device may be infected with harmful malware programs." It either offers to install the tool for you or will direct you to a malicious site where your computer becomes infected. Scareware can also be achieved via spam email that doles out bogus warnings or makes offers for users to buy worthless/harmful services.
Pretexting creates an invented scenario to convince a targeted victim to release information or perform some action. For example, you may need to create a new identity and then use that identity to manipulate and trick the target.
Social engineers can use pretexting to portray people in some jobs and roles to achieve the plan, especially the attacks on the phone where they can assume they are whatever they said to persuade you to leak some information.
Famous examples are the criminals who assume to be from the bank side to let you release some sensitive information that can help them steal the fund in your bank account.
##2. Types of Social Engineering Attacks
You should know the attacker can try to do anything to gain the information he needs from the target.
Phishing is the most famous social engineering attack, especially if the target is a company. Phishing is usually done through emails when the target receives a mail with an attachment to download or a link to visit, letting the attacker have remote access or install malware on the device.
This attack is made over the phone where the attacker assumes to be someone else, so you will act depending on the character he pretends to be.
Example: An attacker calls an employee telling him he is from the technical team and is calling to help him remove malware, then starts telling some commands to the employee. Eventually, he can get remote access to the employee's device.
Shoulder surfing is a social engineering technique used to get personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken.
One of the most common ways to get into a company is when an attacker impersonates others.
For example, a company expects quality inspectors to visit them. If the attacker knows this information, he can assume to be them and enter the company quickly. Then, he can get some sensitive information that can help him during his attack later.
##3. How To Mitigate Social Engineering Attack
So to minimize the possibility of being a victim of a social engineering attack, take note of the following:
Don't open emails from unknown sources.
Don't share your life details online.
Don't tell your passwords to anyone.
Be aware of all the possible attack vectors around you.
Be mindful of what you are revealing to strangers.
Don't have a long talk with strangers.
Please don't go into a conversation that its topic can lead to leaking sensitive information.
Be aware of vishing and phishing.
And for the recent social engineering attacks related to banks, you should know that :
Your bank will only call you to get your account number.
Your bank won't ask you to tell OTP.
Your bank won't send you a link on SMS.
Your bank won't ask you about your PIN code.
And whenever you feel uncomfortable with a stranger, end the call and be safe.