Social Engineering (As defined by GOOGLE search)
noun 1. (in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Human nature is funny in that way that we tend to trust somebody or something if we are not in a face to face contact with them or it. We will never leave our house or car keys in a public place but react very nonchalant when it comes to the internet and online security.
Statistics show that social engineering attacks are on a disproportional increase. Malicious URLs using HTTPS increased by 26% and a 17% rise in phishing in 2018 alone. An estimated 12 billion records where stolen by cybercriminals in 2018 with projected cyber attacks and theft of 33 billion records by 2023.
Social Engineering Attack Techniques Used by Cybercriminals
Here the five most common forms of digital social engineering assaults:
Using the greed and curiosity of the intended victim to install malware via ads or software to gain access to the victim’s systems
This technique is used to scare the unsuspecting user to be prompted with popups informing them that their systems have been infected by malware. They are then often redirected to sites where the actual malware will be downloaded and infecting their systems
Direct communication convincing the user that critical information is required to correct an issue having a personal impact on the user. The cybercriminal will often masquerade as a co-worker, police, bank and tax officials, or other persons who have right-to-know authority. The purpose of this attack is to obtain social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, and bank records
This scam uses email and text message campaigns to convince users to e.g. log into a known site or company where they are currently registered to change their username and passwords. Emphasis will always be on security and urgency to instill curiosity and fear into the user. This information is then forwarded to the cybercriminal via the fake site provided
- Spear phishing
This is a more directed form of phishing. A crafty cybercriminal will take weeks or even months to convince the user that the “scam” is legit by providing near authentic material to put the user at ease. But the endgame is to divert the user to a fake website where the user will divulge their private credentials
The cybercriminals use the oldest trick in the book: human feelings. They thrive on curiosity, greed, fear, and culpability. If it does not look right, if it sounds too good to be true and if your gut feelings send off alarm bells, then trust them. Remember these cybercriminals have nothing to lose, not like yourself.