If you’ve done any reading on the subject of cyber attacks, you have probably heard the term “social engineering attack” many times. This term is often thrown around without a clear definition of what it is and what it entails. Many people also do not understand the full range of attacks that fit into this category. In an attempt to remedy that problem, We would like to make you aware of 5 social engineering tactics that should always be in the back of your mind. Remember: The only real way to defeat these attacks is through vigilance and education.
1. Link-Based Phishing Attacks
This is the most basic type of phishing, and it is definitely the most common. Phishing uses web links that are designed to look as if they came from a legitimate source. For instance, they might impersonate someone from Facebook in order to steal your login credentials. But how can they do this? The process is actually pretty simple.
First, you have to understand how a keylogger works. This is a program, usually in the form of a custom script, that records every keystroke that is made. Such a script can easily be placed within the code of any web page. Of course, it will only record keystrokes made within the browser, and that is why they have to trick you with a fake link.
Once you click on the link, you are then directed to enter your login credentials. The page will be made to look like the legitimate source that is being impersonated. So, to re-use our earlier example: If they are impersonating someone from Facebook, the fake page will be made to look like Facebook’s login screen. Once you enter those credentials, the keylogger captures them and the hacker will then have your login and password.
Baiting is a little bit like phishing, but with one significant difference. Baiting tactics use the promise of a “freebie” or some other benefit to lure their victims. Much like the false lure of the deep-sea Angler Fish, these shiny objects entice the potential victim to walk right into the trap. Of course, in order to get this alleged freebie, you will have to enter those login credentials. In some cases, they also use physical media to entice your curiosity and trick you into uploading malware, like some Chinese hackers did in 2018.
So, what is the difference between baiting vs phishing? In many ways, baiting is a specialized form of phishing. Just realize that whenever someone offers you free stuff, there is always a catch. It may not always be a phishing attempt, but you should always be suspicious of something like that. If you are asked to enter your login credentials in order to obtain something like that, it is probably a scam.
Tailgating is a social engineering technique that isn’t normally used to steal credentials. This makes it very different from the common phishing attacks. Tailgating is used to gain physical access to a restricted area, such as a server room or some other type of important control center.
Normally, it works by following an authorized user (hence the name “tailgating”) The tailgater will most often impersonate some low-level person that can give a reasonable excuse for being there. They might impersonate a repairman, a maintenance tech, or maybe just someone delivering food. Either way, they use complex impersonation and verbal deception to get into places where they aren’t welcome. It takes a good bit of charisma to pull this off, but these attacks have happened plenty of times.
4. Scare-Ware Attacks
You may have run across pop-ups that attempted to scare you. They will usually say something like “your computer is already infected! Click below to scan for viruses.” Sometimes, they might even try to convince you that they represent the police or the FBI. By making you think that you have inadvertently broken some law, they can scare you into taking certain actions. After all, nobody wants to go to jail!
The first thing you need to realize here is that legitimate authorities do not operate like this. If you are in trouble with the law, clicking some link and downloading some program isn’t going to get you off the hook. Needless to say, that downloaded program is just going to be malware. Honestly, most people should know better than to fall for one of these.
5. Pretext Attacks
This is a lot like normal phishing, except that it tends to be much more elaborate. Criminals who utilize these tactics are more like old-fashioned con artists. First, they go to great lengths to gather information about a legitimate entity. This might be a client, a trusted company, an auditor, or some kind of contractor. Once they have gathered enough information to credibly impersonate the target, they can use that to their advantage.
There are many ways to verify a person’s identity, but they aren’t always used. If someone appears to be a normal and legitimate entity, they can sometimes get people to forego their usual suspicions. In most cases, their goal is to trick people into revealing privileged information. This might include login credentials, but any valuable data might be sought and/or obtained in this way.
What Is Post-Inoculation In Cyber Security?
Post-inoculation refers to the process of hardening your systems and making them harder to penetrate. The period directly after this “inoculation” is referred to as the post-inoculation period. Your actions during this time should be focused on learning from everything that has occurred and incorporating those lessons into policies and plans. This post-inoculation phase is a good chance to discover any remaining flaws or vulnerabilities.
Social engineering can take many forms, but these are some of the most common. Sadly, there is no existing tech that can fully defeat social engineering attacks. This is because they target people rather than hardware, software, or other IT resources. They work by taking advantage of those who lack knowledge. Therefore, the best defense is education and preparedness. If you would like to know more, or if you are interested in our top-notch security services, call PCH Technologies at (856) 754-7500.