Cybersecurity Awareness: Social Engineering Attacks

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

Click the video below to know more:

How does social engineering work?

The phrase “social engineering” encompasses a wide range of behaviors, and what they all have in common is that they exploit certain universal human qualities: greed, curiosity, politeness, deference to authority, and so on.

While some classic examples of social engineering take place in the “real world”—a man in a FedEx uniform bluffing his way into an office building, for example—much of our daily social interaction takes place online, and that’s where most social engineering attacks happen as well. For instance, you might not think of phishing or smishing as types of social engineering attacks, but both rely on tricking you—by pretending to be someone you trust or tempting you with something you want—into downloading malware onto your device.

This brings up another important point, which is that social engineering can represent a single step in a larger attack chain. A smishing text uses social dynamics to entice you with a free gift card, but once you tap the link and download malicious code, your attackers will be using their technical skills to gain control of your device and exploit it.

  1. Phishing - which also includes text-based smishing and voice-based vishing. These attacks are often low-effort but widely spread; for instance, a phisher might send out thousands of identical emails, hoping someone will be gullible enough to click on the attachment.
  2. Spear phishing or whaling - a “high-touch” variation of phishing for high-value targets. Attackers spend time researching their victim, who’s usually a high-status person with a lot of money they can be separated from, in order to craft unique and personalized scam communications.
  3. Baiting is a key part of all forms of phishing and other scams as well—there’s always something to tempt the victim, whether a text with a promise of a free gift card or something much more lucrative or salacious.
  4. Pretexting involves creating a story, or pretext, to convince someone to give up valuable information or access to some system or account. A pretexter might manage to find some of your personally identifying information and use it to trick you—for instance, if they know what bank you use, they might call you up and claim to be a customer service rep who needs to know your account number to help with a late payment, or they could use the information to imitate you.
  5. Business email compromise (BEC), also known as CEO fraud, combines several of the above techniques. An attacker either gains control of a victim’s email address or manages to send emails that look like they’re from that address, then start sending emails to subordinates at work requesting the transfer of funds to accounts they control.
  6. Quid pro quo attack - a hacker offers something in exchange for access or information. A tech support scam is a typical example of a quid pro quo attack.
  7. Tailgating is an in-real-life form of social engineering in which an attacker tricks an employee into following them into the building, hence ‘tailgating.’ This is achieved, for example by pretending to be a delivery person or pretending to be an employee who forgot their badge and takes advantage of the human desire to be helpful and nice.

The security company Norton has done a pretty good job of outlining some red flags that could be a sign of a social engineering attack. These apply across social and technological techniques, and are good to keep in the back of your mind as you try to stay on guard:

  • Someone you know sends an unusual message: Stealing or mimicking someone’s online identity and then mining their social circles is relatively easy for a determined attacker, so if you get a message from a friend, relative, or coworker that seems off, be very sure you’re really talking to them before you act on it. It’s possible that your granddaughter really is on a vacation she didn’t tell you about and needs money, or that your boss really does wants you to wire a six-figure sum to a new supplier in Belarus, but that’s something for you to triple-check before you hit send.
  • A stranger is making an offer that’s too good to be true: We all laugh at the Nigerian prince emails, but many of us still fall for scams that trick us by telling us we’re about to get something we never expected and never asked for. Whether it’s an email telling you won a lottery you didn’t enter or a text from a weird number offering you a free gift card just for paying your phone bill on time, if it feels too good to be true, it probably is.
  • Your emotions are heightened and you have to act now: Social engineering scammers play on strong emotions—fear, greed, empathy—to inculcate a sense of urgency specifically so you don’t stop to think twice about scenarios like the ones we just outlined. A particularly pernicious technique in this realm is a tech support scam, which preys on people who are already nervous about hacks but not very tech savvy: you hear from an aggressive person who claims to be from Google or Microsoft, tells you that your system has been compromised, and demands that you change your passwords right away—tricking you into revealing your credentials to them in the process.

Some basic tips to avoid falling victim to social engineering attacks include:

  • Resist the urge to click links in a suspicious email.
  • Check the Web address of a link (by placing your mouse cursor over the link) and the sender’s email address before visiting the destination website.
  • Visit websites directly rather than clicking links in emails.
  • Be cautious of email attachments, even if it looks like it’s from a familiar sender.
  • Check for signs such as poor quality of the logo or email, poor grammar or misspellings.

Social Media Poisoning

In relation to Social Engineering, attackers also leverage social media to conduct attacks. We would like to remind everyone to be cautious with pages, posts, and links posted online, as malicious actors are now using a tactic called "Social Media Poisoning" to trick users into opening the embedded link for clicks, traffic, and profit. This activity is evolving and can be utilized by threat actors for malicious link redirection for Phishing campaigns and Malware Distribution.

 

Example:

Target:
Employees with family members, relatives, friends, and loved ones in calamity-stricken provinces - seeking news, pictures, or any information about the recent floods.

 

For inquiries and concerns, you may contact our AC ICT Helpdesk: 
Hotline: (02) 7-908-3400 
Email: helpdesk@ayala.com

 

Sources:

About the author

Information and Communication Technology

The ICT Department of the Company exists for the purpose of identifying, analyzing, selecting, implementing, supporting and maintaining ICT infrastructure and systems that increase overall organizational productivity and performance while also supporting the Company’s overall strategic vision and objectives. The support provided by the ICT Department plays a critical role in the Company, from strategy and policy planning, design of business processes, organizational structuring, resource management, and operational planning and control.