Social Engineering Attacks

What are Social Engineering Attacks?

Social Engineering is an act of manipulating people to expose confidential or sensitive information.

This can be done by telephone, email, or face-to-face contact. It is the oldest method for gathering information and is still commonly used today.

Social engineering is often used with spam and phishing since it makes the manipulating process more trustworthy.

Types of Social Engineering Attacks:

1. Phishing: Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware. A good e-mail Gateway like Avanan can stop this attack.

The “carefully crafted, custom-made” emails look like they come from legitimate companies, informing employees that an account has been compromised or needs to update their information. Instead, victims are taken to a fraudulent website, an attack site where their details are collected once they click on the link.

2. Vishing: Vishing is short for voice phishing, which is phone phishing using the VoIP system. The attack vector for this type of social engineering is the same as phishing, but it’s done over the phone here. An attacker makes a spoofed VoIP call to the target and presents himself as an organization the victim would trust. Never open those.

3. Spear Phishing: is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.

4. Credential Dumping: Credential dumping is when attackers gather login information or database credentials from compromised systems, servers, or websites. The attackers can then use this information to access other, potentially more secure systems. Use an endpoint management software like BigFix against this type.

5. Baiting: When attackers leave USB thumb drives or CDs containing malicious software in an area where they know employees will be near the office printer. They hope someone will take one of these devices home and plug it into their computer, which can be compromised.

6. Smishing: Smishing is a combination of phishing and SMS messaging, sending texts with links to users, tricking them into clicking on the links, and giving up their personal information because they think it comes from someone trustworthy — like a bank or service provider.

7. Spear Phishing via Social Networks: This type of phishing uses social networking services to spread malware, steal users’ personal information and gain access to their accounts. Attackers will often try to get people from the same organization or network group to add them as friends, increasing their trustworthiness.

8. Water holing: In this type of attack, a malicious hacker will open a place or device, so other attackers can come along and take advantage of it. For example, a malicious hacker could leave a computer with security weaknesses open to the public, hoping another hacker will exploit those vulnerabilities.

9. Social Engineering for Mobile Platforms: An attacker will access a user’s smartphone by asking for sensitive information in this social engineering attack. A scammer might text you, requesting your login credentials or credit card information so that “they can update billing details.” Once you do this, they will potentially have access to your personal information.

10. Scareware: Scareware is when an attacker tries to trick you into thinking your computer or mobile device has a virus installed. They do this by installing fake anti-virus software that pops up on the screen and falsely claims there are threats present, forcing the users to pay for the bogus program to remove them. The attackers can then use your credit card information to make unauthorized purchases.

11. Tailgating and Piggybacking: An attacker uses someone else to gain entry into a restricted area, like following employees through the door because they know it’s being held open for someone. It can also be used by attackers who hope to use your corporate credentials without you noticing or realizing their intentions.

12. Quid Pro Quo: This is when an attacker offers to do something for you in return for your cooperation or silence about their illicit actions. For example, attackers can use Quid Pro Quo by offering to upgrade your computer system if you allow the malicious hacker temporary access to it.

13. Whaling: Whaling is a specific type of phishing attack that targets high-ranking employees, such as C-level executives. Attackers will monitor social media and email for details on the organization’s leadership and send targeted messages to those individuals with links or attachments which could compromise their security.

14. Brute Forcing: Also known as “password cracking,” brute-forcing is when an attacker uses a program that rapidly guesses passwords to access a user’s account or system. That’s why the more complicated your password is, the more difficult is to crack.

15. Pharming: Pharming is like phishing in that it is a threat that tricks users into exposing private information, but instead of relying on email as the attack vector, pharming uses malicious code executed on the victim’s device to redirect to an attacker-controlled website.

16. Tapping: A malicious hacker might tap into a telephone wire to listen to conversations or steal information from a computer network.

To Prevent Social Engineering Attacks:

1.      Avoid opening attachments from unknown sources. Even if the email comes from someone you trust, be cautious, as hackers can now spoof these addresses. Use common sense.

2.      If a website looks suspicious or does not feel legitimate, avoid entering your personal or financial information there and contact your IT administrator for further details on the site.

3.      Do not give out any personal information over the phone unless you initiated contact with a reputable company. It is best to follow up with them through an official source like their website.

4.      When possible, use two-factor authentication like YubiKey, when signing into websites or apps so that if your password is compromised, attackers cannot access your account without having physical access to your smartphone or another device that doubles as the “key” to your account.

Call your MultiPoint account Manager to help you and give you advise.