Social Engineering
What is Social Engineering?
Social engineering is the deceptive practice of manipulating individuals, utilizing psychological tricks to induce security errors or obtain personal and sensitive information.
​
The social engineer manipulates or deceives individuals into divulging such information.
Social engineering is considered more effective than other hacking methods, enabling intrusions into highly secure personal or professional systems. Exploiting the inherent vulnerability of individuals, socially engineered attacks can be executed on a large scale.
​
These attacks are meticulously crafted to deceive, as they often appear legitimate and function identically to legitimate counterparts.
Social Engineering Techniques
Phishing
One of the most prevalent forms of social engineering is phishing. Phishers rely on the fact that they can use various disguises and tactics to trick victims. Phishing is the most common form of social engineering attacks and data breaches, as it can take many shapes and forms. It involves the disguising of false communications as a legitimate source, but instead directs victims to an illegal website that often mimic the name and appearance of an official website.
​
Year over year, the number of phishing attacks and attempts is increasing. Attackers are relying on the public's lack of knowledge and awareness of financial crimes. Social engineers target users of online sites and mobile applications. It is estimated that 91% of cyberattacks begin with phishing.
According to a 2022 IBM report, over 300,000 consumers fell victim to phishing attacks, and 83% of organizations experienced email phishing attacks.
Phishing attacks have seen a significant surge, with a staggering 1,139% increase in reported incidents from 2018 to 2022. The financial sector bore the brunt of these attacks, accounting for 41% of all phishing attempts.
Forms of Phishing Attacks
Spear Phishing: Targeted attacks specifically designed to manipulate and trick a specific group.
Vishing: Phone-based phishing to harvest credentials and personal information. The Social Engineer will present themselves as a tech support professional and claim issues with a target's account.
Smishing: Phishing attacks over SMS (text messages) that target smartphone, tricking users into disclosing information or downloading malware, which can bypass multi-factor authentication.
​
Website Spoofing or Phishing Websites: Illegitimate websites used in conjunction with phishing communications. These websites are illegal yet identical in functionality and design to their legitimate counterpart. They may even have a similar URL! (See Spoofing for more information)
Mobile App Trojan Horses: Attackers use apps that appear normal but are actually malicious. These apps harvest personal and financial information by duplicating payment checkouts and bypassing smartphone permission requests. In 2018, the FBI reported 65,000 fake apps on popular app stores. These apps can appear as fake financial apps, games, or any random app.
Credential Stuffing Attacks: Attackers use stolen credentials from data breaches or phishing attacks to access other accounts in the same or different organizations. There are billions of credential stuffing attacks each year.
Want to learn more? Check out our podcast:
Why Identify Social Engineering Attacks?
Socially Engineered attacks seem accurate and deceptive. They psychologically manipulate the victim into unknowingly confessing personal and financial information. They are counting on the fact that they can trick you! If you identify the attack you can protect yourself!
Phishing itself is responsible for 90% of cyberattacks. Being able to identify and stop phishing can significantly decrease your vulnerability to cyberattacks.
Voice Scams
In Voice Scam, the Social Engineer poses as a representative of a financial institution, tricking individuals into transferring money or making a transaction. These attacks rely on cleverly crafted scripts to manipulate and deceive the account owner, similar to Vishing. The effectiveness of the script depends on the amount of information available online about the target, making it more cunning and successful.
Remote Access Tool (RAT) Attacks
Remote Access Tools need to be installed on the user's device, and attackers typically achieve this by convincing the user to install the malware or embedding it within deceptive URLs. Once installed, these tools enable attackers to gain remote access and control over the victim's device. As a result, when the user signs into their financial institution, the social engineer can take over the session and manipulate it to their advantage.
Authorized Push Payment (APP) Scams
In APP Scams, the attacker convinces the victim to transfer money through e-transfer or mobile payment apps like Venmo, effectively bypassing multi-factor authentication.
APP Scams are on the rise, as attackers exploit personal data obtained through data breaches on the dark web or gathered from social media.
These scams may also employ ransomware, allowing the social engineer to hold the victim's device or data hostage and demanding payment for its release.
With improved access to information, attackers can craft more sophisticated scripts and gain a better understanding of the bank's practices. They may also manipulate the victim's emotions, eliciting feelings of guilt, sympathy, or companionship to further their schemes.
Examples of Engineered Attacks
