Social engineering is a term used to cover a range of malicious activities accomplished through human interactions. By using psychological manipulation, people can be tricked into giving away important information or access to personal details.
Typically, people expect this in physical interaction, but the same tricks are now being used online. Criminals can make use of social engineering so long as their target is unaware or vulnerable to it. This results in the victim giving strangers full authority over personal accounts and details either without even knowing it, or thinking that it’s an official transaction.
Perpetrators typically investigate their intended victim to gather necessary background information like potential points of entry and weak security protocols. Afterwards, they move in to gain the victim’s trust before executing their plan.
The danger of social engineering lies in human error rather than vulnerabilities in security. It makes guarding against them difficult.
In that vein, here are some examples of social engineering online:
Baiting takes advantage of a victim’s curiosity or greed through false promises. Perpetrators lure their targets into a trap that steals their information or inflicts their systems with malware.
The most common form of this is using physical media to disperse malware, like malware-infected flash drives. Targets tend to become curious—or in some cases, they find themselves claiming a “lost” flash drive as their own—and end up connecting it to a work or home computer. The result is automatic malware installation.
Other times, perpetrators use online forms or fake ads that lead to malicious sites or encourage users to download a malware infected application.
Scareware makes use of a victim’s paranoia or dread by bombarding them with false alarms and fictitious threats. Perpetrators deceive their victims into thinking their systems are infected with malware, encouraging them to download and install software with no real benefit, or the malware itself. This is also referred to as deception software, rogue scanner software, and fraud ware.
A good example of scareware is the legitimate-looking pop-up banners appearing on browsers while surfing the web. They usually say, “Your system may be infected with harmful spyware programs.” Clicking on the popup banners will lead victims to malicious sites that actually infect the system.
Scareware can also be distributed through spam mail.
Pretexting is when an attacker obtains information through a series of difficult-to-detect lies. Usually, the perpetrator pretends to need sensitive information from a victim to perform a critical task.
It is common to see perpetrators posing as figures of trust, like co-workers, police, bank and tax officials, or other people with right-to-know authority. The victim is then asked to confirm their identity, which allows the perpetrator to obtain important personal data.
All sorts of pertinent information and records are gathered using this scam, such as social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records, and even security information related to a physical plant. Recently, pretexting is used to even get one-time-passwords from their victims,
Phishing scams are one of the most common and well-known types of social engineering, especially through email and text campaigns. This tends to inspire fear, urgency or curiosity in victims, making it easier to keep them from thinking logically.
An example of this is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, usually a password change. This includes a link to an illegitimate replica of the legitimate version, wherein credentials submitted through this are actually sent to the attacker.
A type of phishing scam, spear phishing targets specific individuals or organizations. The messages sent are tailored to their victims based on characteristics, job positions, and contacts belong to their victims to make their attack less conspicuous.
Spear phishing requires more effort from attackers and may take much longer to pull off, but are in turn harder to detect and have higher success rates.
An example of spear phishing might involve an attacker who impersonates an organization’s IT consultant and sends an email to one or more employees. The way it’s formatted and signed may look exactly the same as emails from the true consultant and may deceive recipients into believing its authenticity. The message prompts recipients to change their password and provides them with a link redirecting them to a malicious page where the attacker now captures their credentials.
Spotting social engineering is generally difficult to do, however, knowing the forms they come in will make it easier to guard against. Practice constant vigilance and wariness when encountering similar forms.
This content is part of the Banker’s Association of the Philippines’ (BAP) #CyberSafe campaign, where the BAP aims to promote awareness in cybersecurity. The campaign will upload new posts tackling common web security questions and issues, on Wednesdays and Sundays every week.
For more content on cybersecurity, visit the BAP Official YouTube channel.