What is Social Engineering? | Definition | Types | Examples | Prevention

What is Social Engineering?

Definition :

In information security and cyber security, social engineering refers to an attack in which the user is tricked to share personal data by the cyber criminal by means of manipulation or influence. The data may be passwords, bank details, system information so as to gain access to a system.

Social engineering is also called as ‘Human Hacking’. This is considered as a cybercrime and is increasing on greater rate. Because criminals find these method as a easy way as compared to any other method. It’s easy for them to fool a person than to perform actual hacking.

These criminals generally don’t attack directly. They study the behaviour of the user. Basic information like name, phone no., email address is already out on the internet on various applications like facebook, instagram, etc. Therefore, it’s easier for them to out to the user. The attacker learn victim’s actions and they try to conclude what excites him/her the most. According to the information they collected, than they plan a attack using one social engineering methods.

(Related : What is Cyber Crime? Definition, Types and Causes)

How does Social Engineering work?

credits : eset.com

Most social engiineering attacks are executed over the internet. You never know who is on the other side. You may know or you may not know the person. Social enginerering attacks rely on actual communication between attacker and victim. It may be online chatting, phone call, etc.

They follow the pattern as follows :

• Gathering basic information of the target like – name, email, phone no.,etc. Noting human vulnerabilities by viewing their internet activity. The target here may be a individual or a whole company.
• Reaching out to target by establishing a relationship and interacting for building a trust.
• Now, its time to exploit the victim. Once the attacker has the human vulnerabilities and has build trust he may use one the social engineering attack(we will see later) to attack the target.
• Once the attacker has the desired information or he has accomplished in what he needs he may disengage by breaking the communication or continue blackmailing the victim.

The process can take place in a single email or over months in a series of social media chats. It could even be a face-to-face interaction. But, it ultimately concludes with an action you take, like sharing your information or exposing yourself to malware.

It’s important, to be beware of social engineering as a means of confusion. Many employees and consumers don’t realize that just a few pieces of information can give hackers access to multiple networks and accounts.

Lets see some major types of social engineering attacks.

credits : sitelock.com

Types Of Attacks :

In cyber security, every attack contains some sort of social engineering. Here are some common methods used by social engineering attackers:

1) Phishing :

Phishing is a attack in which the attacker may pretend to be someone else by creating fake emails, websites, sms, etc. which shall contain links, harmful enough to exploit the target. Email phishing is one of the oldest method used in social engineering. Email can contain a link which on clicking may transfer your data into attackers pocket. The email may also contain a malware download which if installed will completely encrypt your device. And the attacker may demand money in return of password. Let’s see some other phishing methods.

Vishing – Voice phishing is method in which the attacker calls the target. The voice of attacker may be a system generated voice or it may be a person to increase trust. A target may fall for it by giving personal information like bank details, pan details, etc.

Smishing – In sms phishing a sms might include a harmful link as mentioned in vishing.

2) Baiting :

In baiting the attacker tries to manipulate you by spaming exciting offers in your email or might be application from unknown website. In baiting, the target is generally infected by a malware. Some example of baiting are : Malware using a physical media – leaving this media in public places like elevators, washrooms, etc so that the target might insert it in his or her device. Offer emails – containing attachments of malware.

3) Physical Breach :

In physical breach attack, the execution is done in-person. The attacker pretends to be a representative of a company and gain unauthorized access to various assets.

These types of attacks are generally carried out on enterprise environments like businesses, governments, companies, etc. This involves a high risk and a proper research on the target from the attacker side. This generally involves a higher reward if the attack is successful.

4) DNS spoofing and cache poisoning:

Domain Name Server (DNS) spoofing attack involves, redirecting the target’s online traffic to a fraudulent website by using altered DNS record. The website might contain a virus to infect target’s device. The redirect continuous until the system gets completely infected.

5) Watering hole attacks :

In watering hole attacks, the attacker infect popular websites with malware to impact a number of users. The attacker find vulnerabilities of the website. He uses vulnerabilities that are already available on the internet or tries to find some unique vulnerabilities. They might find out that the website has not been updated with the latest infrastructure. The website owner may choose to delay software updates for a more stable version. Attackers use this as a opportunity for their attack.

6) Scareware Attack :

Scareware is a type of malware intergerated into a fake application forcing user in taking an action like buying or downloading unwanted and potentially dangerous softwares. This malware displays fake warnings like your account has been compromised or your device has a virus installed.

Examples of Social Engineering Attacks:

• Covidlock, ransomware, 2020 : Cyber criminals have taken advantage from this pandemic by exploiting the world with different attacks. One is covidlock ransomware. This app slowly infects victims phone by promising to offer more information about the disease.

credits : threatpost.com

After that it encrypts the data on the phone and denies access to phone. On top of that these app cannot be uninstalled. You must pay certain amount to gain access again to your device.

• WannaCry, ransomware, 2017 : WannaCry attack is one the worst ransomware attack in history. This attack was introduced via phishing emails in 2017. It mainly exploits a vulnerability in windows. It’s estimated that more than 200,000 people have been reached worldwide by WannaCry, including hospitals, universities and large companies, such as FedEx, Telefonica, Nissan and Renault. The losses caused by WannaCry exceed USD 4 billion.

• CryptoLocker, ransomware, 2013 : It is one of the most famous ransomware attack in history. Because it used a very larger encryption key which made professional’s work difficult. It cost more than USD 3 million in damage infecting more than 2,00,000 Windows systems. It was spread in emails with attachments like pdfs, etc.

• ILOVEYOU, worm, 2000 : ILOVEYOU is considered as the first case of social engineering attack. This was sent in emails as a love letter infecting more than 45 million people causing more than USD 15 million in damages. Once executed, it had the ability to self-replicate using the victim’s email.

How to Prevent Social Engineering Attacks?

credits : digital4pro.com

In social engineering attack a target can be a individual or a whole company. The attacker want you to perform actions first than think later. To defend yourself, you should do the opposite.

Let’s see some ways you can protect yourself :

• Do your research. Instead of clicking link or files from an unknown or suspicious sender spare some time and do a bit research. Use a search engine to get the real company site or reach them using the email given on their website.
• Is the sender your friend? It’s super easy for the attacker to create fake accounts. In your case acting as a friend and sending you false links or files. Always verify that you actually know the sender or not.

Take a look at these statistics : source

• 98% of cyberattacks rely on social engineering.
• 43% of IT professionals say they have been targeted by social engineering in the last year.
• 45% of employees click emails they consider to be suspicious “just in case it’s important.”
• 47% of employees cited distraction as the main factor in their failure to spot phishingattempts
• On average, social engineering attacks cost $130,000
• The number one type of social engineering attack is phishing.
• IC3 reports that socially engineered business email compromise is the costliest cybercrime.
• Socially engineered cyberattacks are just under 80% effective.
• An estimated 70 – 90 % of breaches are caused by social engineering.
• 45% of employees don’t report suspicious messages out of fear of getting in trouble.

• Is the website real? If you find that website you are redirected to is very suspicious like – the logo is very old, the UI of the site is little different, etc. You should immediately close the site as it may be a trap. Trusting non-secure websites is not a good idea.
• Secure your devices by installing some anti-virus software, firewall, etc. Keep your applications, software and your device’s operating system up-to-date. Increase spam filters in your mail provider to protect you from phishing emails.
• Use secure networks : Do not use a public wi-fi for work like banking, passwords, etc. Use your home network or your phone’s network or a network you trust. You can also use a VPN(Virtual Private Network)
• Create strong passwords : Make your system password protected with strong password containing special characters so that it becomes difficult for the attacker to crack it. Same applies when creating online accounts, etc.
• Use multi-factor authentication. Online accounts are much safer when using more than just a password to protect them. Multi-factor authentication adds extra layers to verify your identity upon account login.

According to the information they collected, than they plan a attack using one social engineering methods.