When someone tries to exploit your confidential information or data using psychological methods, this act is called social engineering where a hacker tries to manipulate and divulge into your private information. Social engineering involves playing with people’s minds to harvest information and then use it for personal benefits. An individual or a group of malicious users who perform a broad range of activities to take out sensitive information from a person who makes a security mistake becomes a victim of psychological manipulation.
There are plenty of social engineers that exist in our society and even in different parts of the world who are interested in stealing your personal information and data. You never know, even a person sitting next to you might steal the password of your personal computer by just keeping an eye on your keyboard. These frauds first try to take the targeted audience into their confidence by presenting them with tempting offers and claim hefty amounts to be paid upon accepting the offers.
Social engineers attack in certain stages. First of all, a social engineer would take a deep insight into the need to attack and find out the targeted audience for him. The second stage involves collecting sufficient background information about the intended victim. To proceed with the social engineering attack, fragile security protocols and potential points which can be easily attacked are figured out. Further, the social engineer would try to gain the victim’s trust, attention and provide a stimulus so that the victim breaks the security protocol by performing subsequent actions.
There are many ways in which this manipulation of people’s minds can be performed and these social engineers wish to do it for different purposes. Sometimes, it can be any sort of financial benefit which a social engineer wishes to seek by claiming huge offers and in return asking people to pay a certain amount in return. To steal confidential data from a company social engineers have been quite active. So there can be many types of social engineering attacks that are classified into certain categories in the section below.
Table of Content +
- 1 How many types of social engineering exist?
- 2 Business e-mail compromise (BEC)
- 3 How to prevent attacks from social engineering?
In social engineering, the attempt towards stealing confidential information from legitimate individuals and companies can be done by using different types of mediums. For this purpose, social engineering attacks have been divided into certain categories and each of them is briefly described here.
Using text messages, e-mails, and websites or any other form of electronic communication as a medium for hacking sensitive information is called a phishing attack (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing#how-to-protect-against-phishing-attacks). Phishers are those cyber criminals which target your sensitive data such as bank account details, credit card information, passwords, and other credentials. A cybercriminal may also sell this information underground or use it for stealing money from credit cards and bank accounts.
A phisher may recreate a support portal or a website of a well-known company and send malicious links through e-mails and similar social media platforms. If the person receiving such links accidentally leaks any personal information such as details of a credit card, he will become a victim of a phishing attack and will have to suffer. This occurs mostly during the tax season where a phisher tries to lure or bait content through social engineering. Scam announcements for tax filling are created where personal information is asked from people such as their bank account, credit card details, and social security number.
A phishing attack can also be performed by directing the targeted audience to a malicious attachment that comes in an e-mail from a phisher, which contains any sort of attachment or a link that asks about login credentials. By clicking on such phishing sites using personal login details, you’re providing the attacker with your details which he can exploit to further gain additional information regarding you or your company.
Phishers usually target large enterprises particularly because of financial benefits. Whaling, Spear Phishing and Business e-mail compromise (BEC) are the categories of phisher attacks against the enterprise. These are briefly explained below:
An attack that is particularly for targeting senior or high-level executives to access their bank details and other credentials is called Whaling. Customer complaint or an e-mail which is composed as the legal subpoena is forms of a Whaling attack. Within an organization, these kinds of attacks might lead to advanced persistent threats (APT).
Spear Phishing tricking an individual into divulging credentials and logging into spam websites. You become a victim to spare phishing when you click a link or document which automatically downloads malware along with the document. This computer which is affected by malware now can be remotely manipulated by hackers.
Business e-mail compromise (BEC)
Businesses that work with foreign suppliers have to perform payments regularly to foreign suppliers. Using spear-phishing a BEC attacker gains access to the company’s network and tries to exploit the information regarding money transfers.
Social engineering attacks can exist anywhere but the ones that use old traditional ways like phones are called vishing attacks. By recreating Interactive Voice Response (IVR) of a company and tricking the people by aligning a toll-free number to it which asks for entering the details. The unauthorized entities fraud and trick people electronically and extract their personal or financial information.
By taking advantage of the greed and curiosity of the victim using physical media, the Baiting act can be done. Hackers usually come across with a tempting offer where he promises of a good or an item to entice the victim. A baiting person may offer things online too, such as a free download of movies, games, and music. This offer tempts they often surrender their login details and become a victim to Baiting.
This is another social engineering technique like many others; it tends to extract personal information or PII of the victim which builds on a scripted scenario. To extract information by a fabricated scenario is called pretexting. Data is stolen, identity theft can be done and secondary stage attacks are performed.
Places that contain electronic barriers such as RFID for authentication, Tailgating can be a form of social engineering attack if an unauthorized person takes advantage of by the help of an authorized person to enter a restricted area.
Social engineers tend to manipulate feelings of a human by arousing curiosity, fear, and anxiety, by trapping them through malicious emails and links. This leads to the loss of very important personal information of a victim. Therefore, we need to be aware and alarmed of such scam emails and links that contain fake offers. Many social engineering attacks taking place in a digital realm can be avoided by just being alert and vigilant because a possible lapse in decision making would allow hackers to exploit your personal information very easily.
Firstly we need to be aware of all the possibilities which can lead to social engineering attacks. If you cannot recognize the source of the e-mail, avoid opening links and clicking on the attachments associated with the e-mail. Education and awareness regarding these spam e-mail are essentially important and an enterprise must train and teach its employees.
- Monitor the URLs that an e-mail contains
The URLs in the e-mail might show a different address and then upon clicking would lead you to a different website. This is a third party site that is not affiliated with the authentic sender.
- Do not provide the requested personal information in an e-mail
Social engineers tend to obtain information regarding your financial accounts such as bank details or credit card information (https://www.esecurityplanet.com/views/article.php/3908881/9-Best-Defenses-Against-Social-Engineering-Attacks.htm). E-mails from official accounts do not ask for personal details about financial and social security numbers.
- Monitor if the message is unsolicited or unexpected
The message in the e-mail might contain information similar to the official message but the contact numbers and the e-mail address of the sender may differ slightly.
- The malicious e-mail would ask you to download and install applications or make changes to the security setting
Do not ever download or install anything in an unauthorized e-mail because this would ultimately download malware along with the file and would infect your computer. If you receive an email from a sender with whom you scarcely deal with, you must be more cautious. One must also avoid changing any security settings on the computer.
- There must be some errors or incorrect information contained in the e-mail
Usually, official emails from authentic users are well written and they do not contain any grammatical errors and typographical mistakes.
- There might be several unknown recipients
The malicious email would contain unknown senders and recipients which you or your company might not deal quietly often. One must be aware before interacting with such senders or replying to the email.
Read more at JubinPejman.
- Pop up might appear that requests credentials
Usually, a pop up appears upon clicking the link to a website that is purposely designed to look like the official one. In this pop up a chatbox type of window might appear and live chat option will be created automatically which sometimes ask for your personal information like social security number and financial details. One must avoid providing personal information on such websites.
There are some software solutions (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/prevent-malware-infection) listed below which different organizations can incorporate in them to stay safe from the attack of social engineers:
- Microsoft 365
Microsoft 365 provides smart and intelligent security to users, data, and devices. It includes Windows10, Office 365, and Enterprise Security + mobility.
- Windows Hello for Business
It provides two-factor strong password authentication that contains a new type of PIN or biometric and user credential. With the help of this, the user can authenticate Azure active and active directory account.
- One Drive for Business
This helps in restoring and back up of files in the event when the pc is infected by malware.
- Microsoft Defender Advanced Threat Protection
To prevent ransomware or malware this Microsoft defender provides advanced protection features that detect and protect the threats from one endpoint to another. When suspicious activity is carried out, Microsoft defender provides security operations and security alerts which solve the problem.
- Office 365 Advance Threat Protection
E-mails that carry ransomware and malware downloads are blocked by this advance threat protection feature using machine learning.
- Microsoft Edge
This feature blocks access to websites that are suspected to be malicious.
- Microsoft Exchange Online Protection
It provides protection and reliability against malware and spam.
- Controlled folder access
This feature allows only authorized persons to access files.
Microsoft uses machine learning as a key driver for the consistent evolution of security technology. Unknown and new threats in real-time can be controlled with the help of machine learning (https://www.microsoft.com/security/blog/2018/06/07/machine-learning-vs-social-engineering/). Microsoft 365 uses machine learning to improve cloud-based threats. Security in Windows 10 has been achieved by Endpoint Protection Platform (EPP), Windows 10 in S mode, Microsoft Edge that provides the browser with advanced security, and Windows Defender Advanced Threat Protection.
To cater to the attacks caused by social engineering, specialized models of machine learning are built and trained for particular types of files. Using distributed computing, specialized models of machine learning are built which analyze the contents of hundreds and thousands of files at a time. By using machine learning the contents in each type of file are analyzed and the best features among them are selected. The chosen features are deployed in Windows Defender Anti Virus client who helps to define the content in each file towards the machine learning models. When an unknown file is encountered by Windows Defender Anti Virus client, the machine learning models look into the features of the file and in case any suspicious property is found in the features of the file, it is sent to protection services of the cloud. The file is evaluated in real-time, with a bigger array of machine learning classifiers.