We can define social engineering as a psychological attack that exploits human behavior or our cognitive precepts. It usually involves tricking people into unknowingly disclosing confidential information that could be used for corrupt or criminal purposes.
So hackers use social engineering techniques to extract personal information that can be used for identity theft or other fraud or crimes. In an age where people are increasingly online savvy, social engineering requires some finesse.
It is usually a multi-step plan to first gain trust and then access targeted information. Unlike cybersecurity attacks that exploit software structures and computer code. That is, social engineering attacks are based on the fact that humans make mistakes and can be manipulated.
Social engineering involves manipulating someone to divulge confidential information.
Social engineering attacks often target sensitive information. Such as login credentials, Multicaixa Express PIN codes, bank details or other personal information.
BUT: What is a Zero Day attack?
How does social engineering work, exactly?
Social engineering scams can happen during face-to-face and phone interactions, but most commonly occur online. In fact, social engineering underpins a wide variety of cyberattacks because it's easier to carry out online.
In the physical world, we are able to evaluate our interactions with people based on the information we receive through our senses. Observing someone's manner and listening to their tone of voice gives us clues as to whether something is suspicious or not.
Social engineering tactics often work like a cycle:
First, an attacker gathers basic information also known as profiling and chooses an entry point. Then the attacker initiates contact and establishes a connection.
Once the connection is made and the attacker is seen as a trusted source, the attacker exploits the target. Anyway, after the confidential information is obtained, the attacker disconnects and disappears.
Why are online social engineering attacks so dangerous?
Social engineering attacks can be very dangerous for both individuals and companies because in both cases, large sums of money can be taken from the victim. Attackers target finance department employees by posing as higher-level employees.
Hackers sent emails from fake corporate email accounts. But convincingly, requesting an account change. This then successfully tricked financiers into transferring large sums of money to accounts controlled by the conniving hackers.
For most people, losing any amount of money can be a huge setback. But having your personal information compromised can be even more dangerous.
If an attacker gets your login credentials or banking details, they can keep it for their own use or sell it on the dark web. Incidentally, where it can be purchased and exploited by third parties, and lead to identity theft or other harm in the future.
How to detect a social engineering attack
To detect an attempted online social engineering attack, it is helpful to know the different techniques that attackers use to influence their victims. People react to authority and are more likely to comply when requests come from a respected source.
This is why cybercriminals often impersonate well-known companies or government agencies. Always carefully read emails or SMS that claim to be from the government or other official sources.
A more subtle tactic exploits sympathy. That is, as humans, we are more likely to trust people we find attractive and likeable, which can work wonders in peer-to-peer selling.
Attackers can impersonate an attractive person on social media and use a compliment as an excuse to make contact. When the victim is flattered, they are more receptive to the attacker's request, which could be a donation to their "charity" or some other scam.
Knowing how we can be influenced makes it easier to recognize the warning signs of social engineering. Requests for certain types of information such as login details, banking information or your address should also always raise concerns.
Put emotion aside and look carefully at who is asking for your details – this can prevent you from being scammed. A classic social engineering move is to offer something very tempting that motivates the victim to reveal some information or take some action.
If you fall into a social engineering trap and the attacker gains access to your login information. Meaning you don't want them to be able to use it to access your other password protected accounts.
This means you shouldn't use the same passwords on different accounts and you should always create strong passwords. Being lazy about creating passwords is like taping the door instead of locking it. This is not very effective in case of an attack.
If you're not ready to memorize a dozen different complex passwords, try a password manager.
