Social engineering is a technique that allows hackers to try to enter IT systems by capitalizing on the lack of knowledge and the naivety of an end user. Instead of setting up a technical attack on an IT system, the focus is on an employee and attempting to enter networks and systems through that person.
Because networks are increasingly well-protected, social engineering is becoming more and more popular among hackers: Because there is no patch for human stupidity!
Social engineering focuses on manipulating the emotions and impulses of people. For example, hackers try to gain trust or take advantage of inattention on the part of their victim. This means a hacker must possess a certain amount of empathy, be daring, and posses social skills.
Common Social Engineering Scams
A hacker will always apply a specific strategy in social engineering. The victim might be approached personally by telephone in order to obtain access information. Or somebody might casually ask a few questions in the elevator or office building. Communication is the only weapon a hacker can implement in this case, which means social engineering goes much deeper than just IT and technology. Traces of an attack can be recognized in the communication. Pay attention to nervous or overly enthusiastic behavior, unusual questions, hurried behavior, or the sense that you are being pressured.
In addition to real-life communication, all technical options available to hackers are implemented to entice you to provide access to your information either consciously or unconsciously. People are often much easier to fool online than they are in real life. By playing on their emotions (greed, fear, pleasure), people are seduced to click on a malicious link, leaving behind personal information or installing unknown software before they even realize what they have done.
The most common form of phishing is fake emails that look completely authentic, sent with the purpose of collecting information directly or indirectly. Sometimes these emails are even sent from a realistic and difficult to distinguish from authentic email address, which is called spoofing. You might be asked to click on a certain link in the email, or open an attachment. These emails are usually designed to seem altogether reliable so the recipient does not recognize the risk and clicks on the link without being suspicious. By clicking on the link or attachment, various security risks are activated, such as these most common ones:
- Installing damaging software that gives hackers access to your pc, after which the hacker has full control
- Link to a website that looks like an existing website, but really is a copy of that website controled by the hacker (cloning). At this point the hacker can see your login information
- You become part of a DDOS network
- Your infected PC infects the entire business network
For companies to protect themselves against these types of attacks, it is important to share knowledge and create awareness among employees in addition to implementing a solid security policy.