Recent events, such as the social engineering attack on European Central Bank’s President Christine Lagarde, occur more and more often and can cause you or your business serious trouble. The ECB President received a text message from the hackers, posing as former German chancellor Angela Merkel. Identity theft is part of the social engineering technique. This way the hackers wanted to open up a WhatsApp account that was linked to Lagard’s phone number.
What is social engineering?
But what is social engineering really? Social engineering is trickery to manoeuvre someone into exposing personal or confidential data. In social engineering this data will be used for fraudulent purposes against the victim or a whole company. In other words, social engineering is a technique of manipulating individuals, aiming them to give up personal data – including their bank credentials and other passwords. Salahdine & Kaabouch (2019) describe it as the following: “Social engineering is a technique used for a comprehensive range of malevolent events completed through human interactions. It utilizes psychological manipulation to cheat consumers leading them to make information security errors.”
Social engineering is among the most excellent means of cyber-attack, primarily because it has proven great effectiveness. Criminals know an individual user is the weakest connection in the security chain. Why? Because this user can be targeted with the collected data and therefor can become very vulnerable. Users are commonly targeted through online systems such as emails; criminals mask their messages and notifications to make them look like they come from a trusted source such as a known company, bank, or internet service provider (ISP) staff; this is a common technique of social engineering (Salahdine & Kaabouch, 2019).
How does social engineering work?
Social engineering attacks can occur in single or multi-steps. First, a perpetrator studies the targeted victim to collect essential background data; this data includes the potential points of access. These points of access could be the victim’s social network, family or interests. The attacker takes an action that increases trust and delivers stimuli for activities that break down security exercises.
Such practices trick the user into revealing sensitive information like passwords or other personal credentials. Delicate security protocols are required to successfully carry on the attack. Scareware, baiting, spear phishing, pretexting, and phishing are the five main social engineering attacks.
Another way that social engineering works is again, that the criminal tricks his way into the personal life just to access the computer secretly and install malicious software that enables access to bank information and passwords in conjunction with granting the hackers control over the device.
Criminals prefer social engineering strategies because it is the most straightforward approach to exploit individuals’ ordinary inclination to trust.After you received a so-called phishing-mail, which usually are a typical inquiry, and you reacted to it in the way the hackers intended, they will start gaining your trust and slowly collecting data about you: which passwords you use, what times of day you are active on your computer, what your common interests are. Phishing is a perfect example: this method baits victims into trusting dangerous emails and websites that result in exposing critical information. Read more about phishing in our other blog-article. The attack cycle includes preparing (gathering data), infiltrating (establishing a relationship), exploiting the individual, and disengaging.
What is human-based social engineering?
Researchers found the two possibilities of social engineering: human-based and computer-based/technology-based social engineering. Human-based social engineering describes one possibility or part of a social engineering attack. As the word human already suggests, human-based social engineering is about the psychological part. It’s about manipulating the victim’s mind to gain personal data.
Human-based social engineering mainly involves a person-to-person interaction in a social network. Human events or actions contributing to a data breach are human factors in social engineering. In cybercrime, the Human Hacking trick tends to trap unsuspecting consumers by exposing information while granting access to restricted systems or spreading malicious software infections (Conteh, 2021). Human-based social engineering attacks focus on access to gaming systems or devices, physical location, and networks, particularly for financial gain.
What is computer based social engineering?
Computer-based social engineering includes the exclusive use of single or multiple computers to launch an attack against single or multiple computers or mobile devices under a specific network (Conteh, 2021); this type of social engineering involves only computer interactions where criminals delve into the correct information they want. The social engineering attacks impact financial losses, loss of productivity, and business disruption.
Social engineering is a criminal activity that evolves with the dynamic nature of technology and innovation. It is the responsibility of every individual to ensure they visit protected sites, click on safe links, use virtual networks and participate in information security awareness programs to minimize social engineering.
Conteh, N. Y. (2021). The dynamics of social engineering and cybercrime in the digital age. In Ethical Hacking Techniques and Countermeasures for Cybercrime Prevention (pp. 144-149). IGI Global.
Koyun, A., & Al Janabi, E. (2017). Social engineering attacks. Journal of Multidisciplinary Engineering Science and Technology (JMEST), 4(6), 7533-7538.
Salahdine, F., & Kaabouch, N. (2019). Social engineering attacks: A survey. Future Internet, 11(4), 89.