Student Blog: Yusra Nadeem
January 15, 2020
Social engineering uses a human’s helpful nature against them to access personal data and gain entry into secure systems, such as bank accounts. Social engineering can take many forms, from an urgent company email to a convincing phone call. Social engineers use these tactics for malicious purposes and gain confidential information such as social security numbers, usernames, passwords, and more. Presently, only 3% of malware is technical in nature, while 97% of attacks utilize social engineering to reach their targets.
There are many different types of social engineering; in-person, phone, or digital.
The in-person tactics are effective because of a person’s innate nature to help, for example, holding the door open for somebody who has their hands full. While a kind gesture, it could lead to that person gaining access to your business. Another example could be letting in a technician without verification from a supervisor. This is why you should always verify that the person you are allowing access into your secure facility is supposed to be there by asking a manager or by calling the company they’re representing.
The second type of social engineering is over the phone. This tactic focuses on manipulating your emotions in an attempt to gain access to your accounts, devices, or information. An approximated 4.6 million phone attacks occurred in 2013 using multiple techniques, such as an attacker posing as a customer support agent and convincing the target to give up their passwords. Social engineers also use intimidation tactics to bully callers into revealing confidential information. Another strategy attackers use is asking for donations for a known organization; when the donator gives the payment information, the attacker steals the payment information for their own use.
Lastly there’s digital social engineering which is done via email, websites, and social media. Phishing attacks are the most common, as they make up 77% of digital attacks. Phishing itself can take many forms, but a popular one is when a social engineer sets up a fake website to mimic a known brand and seeks to trick users into using that website instead of the real one. From here, the attacker can attain user credentials or further compromise the user by making them download malware. The same process can apply to social media accounts.
Typosquatting is another method of social engineering that relies on user typos. The attacker purchases a domain name similar to that of a popular service, but with common misspellings or typos. The attacker then hopes someone will commit a typo and land on his website instead of the real one.
In conclusion, always trust but verify everything – from the identities of the customer service representative you are speaking with, to the links you are opening, to attachments you are downloading. The best defense against social engineers is educating yourself, your coworkers, and your family about what to look for in social engineering scams.