Gaining the trust of a stranger is what the social engineering attackers do. No one will be interested to share their passwords, bank account details and other personal information with the public. So, social engineering attacks focus on collecting sensitive information from victims using certain psychological tricks. Other than collecting information, social engineering attacks will also focus on accessing the control of your computers by installing malicious software. The social engineers utilize their ability to manipulate, influence or deceive the targets by exploiting human kindness, greed, and curiosity.
How is social engineering attacks carried out? The social engineering attack takes place in different stages from investigation to exit or using of acquired knowledge. If detailing the social engineering lifecycle, the first stage is the investigation and it aims at gathering information like identifying the target and collecting the background information. The second stage is planning the attack and here, the attacker will select the attacking method and acquire tools like computer programs that are necessary for launching the attack. The third is the attacking phase where the attacker exploits the vulnerability in the target system. The attacker might have engaged the target with different psychological tricks before this stage. The last stage of social engineering is the exit or use of the acquired information. Here, after gathering necessary information, the attacker will terminate the interaction without creating suspicion. The attacker will use this collected data for performing malicious activities.
Common types of social engineering attacks are listed below:
Phishing: Phishing is a fraudulent attempt that utilizes email and text message campaigns to develop a sense of urgency, curiosity or fear in the target. Sometimes, such an email or text might be containing certain malware-infected attachments or links to malicious websites. One common example of a phishing attack is fake emails that indicate privacy breaches and request to change the password by clicking on the attached link. Such emails will appear legitimate but sometimes those will be sent by attackers to steal your personal information.
Baiting: Baiting is another social engineering attack that develops a sense of greed and curiosity in the target by providing false promises. You might have seen certain messages like you are a lucky winner and you won a brand new Apple smartphone worth 1Lakh. Along with this message, there will be some URL’s that will redirect the user to some login page or registration page. Actually, this is a method for the attacker to collect your personal data.
Pretexting: The pretexting attacks are used for collecting sensitive or non-sensitive information from the victim by creating a good pretext, or a fabricated scenario. The attacker act as an authorized authority who has the right to collect information from the target victim. Usually, attackers pretend to be co-workers, police officers, bankers, tax authorities, clergy, insurance investigators, etc. for stealing information.
Insider Threats: Insider threats targets an organization by misusing the authorized access for collecting critical information. The attacker can be either a current employee, consultant, former employee, business partner, or board member of the organization. The users are the root cause of insider threat and it can be detected only by continuously monitoring all user activities.
Scareware: Scareware is a malware tactic that causes shock, anxiety, or the perception of a threat in your computer and tricks the user to visit the malware-infected website or to download or buy malicious software. Pop-up ads on your computer like “infected with the virus” is a type of scareware that makes the user install fake anti-virus software.
Tailgating: In tailgating attack, the attacker will trick the employees of an organization to provide unauthorized access to restricted areas of the organization that are controlled by software-based electronic devices.
