Social engineering is becoming one of the most popular methods used by cybercriminals for both big and small crimes. Essentially, social engineering is a way to gain access to networks, systems or data by exploiting human psychology and curiosity, rather than using technical hacking techniques. Using a variety of methods, including phone calls and social media messaging, attackers trick people into giving them access to valuable personal or corporate information.
This is the most popular type of social engineering. Phishing is when hackers send fake emails disguised as legitimate ones (usually from a bank or another authority source) to get you either to share valuable information, such as credit card details, or to click on a malicious link.
Some phishing emails are still quite poorly crafted and you can easily spot them. However, others look so much like the real deal that they can trick even experienced internet users.
There are endless examples of phishing. For instance, a few years ago a Snapchat employee gave up important information via email to a person who claimed to be the CEO of the company.
Baiting is social engineering with the least amount of human interaction. Baiters may offer users free movie, music or software downloads; in other cases, they use physical media, such as USBs, to exploit human curiosity.
They will leave an infected USB at a coffee shop, office building hall or similar place where there’s a high chance someone will find it. Then someone takes it, sticks it into their computer and, voila, the malware is installed. If it’s in an office setting, the malware has a chance to get into important systems and files.
One interesting baiting attack was actually a test by a security expert Steve Stasiukonis on a financial company that was his client. His team left USBs infected with Trojan in a parking lot near the office building. Many curious workers picked up the USBs and put them into their computers. This activated a keylogger, and it gave Steve the employees’ login information.
Pretexting attacks rely on building trust with the target and usually requires some background research and a credible story. Typically, scammers pretend that they need certain information in order to confirm identity, make a transaction or fix some problem.
One popular pretext is for a hacker to call up one department and claim to be from another department. They will be in some emergency and need to get some information or access quickly. The other person eventually gives up and provides the passwords or other credentials.
One of the most famous cases of pretexting would be the News of the World scandal when members of the UK press fooled phone operators into handing over their PIN codes, which then allowed those journalists to eavesdrop on the royal family’s voicemails.
How can you protect yourself against social engineering?
Daniel Markuson, Digital Privacy Expert, NordVPN