Explain the Various Forms of Social Engineering Tactics That Hackers Employ and Provide an Example of Each
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Social engineering scams have been going on for years and yet, we continue to fall for them every single day. This is due to the overwhelming lack of cybersecurity training available to the employees of organizations big and small. In an effort to spread awareness of this tactic and fight back, here is a quick overview of common social engineering scams. Managed service providers (MSPs) have an opportunity to educate their small and medium business clients to learn to identify these attacks, making avoiding threats like ransomware much easier. Phishing is a leading form of social engineering attack that is typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real system, person, or organization. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data. A phishing message might come from a bank, the government or a major corporation. The call to actions vary. Some ask the end user to “verify” their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the end user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and provide wiring instructions) after a natural disaster or tragedy. A successful attack often culminates in access to systems and lost data. Organizations of all sizes should consider backing up business-critical data with a business continuity and disaster recovery solution to recover from such situations. Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work.
To manage the social engineering risk management process relevant information needs to be identified, captured and communicated (Thiadens, T., 2002). It is important to do this in all layers of the organization to be able to identify, assess and respond to threats and have a means of communicating relevant information to the management. With this information management can make informed and sound decisions in light of the organizational objectives. The quality and timeliness of the information depends on the risk tolerance set by these objectives and the criticality of the risk. The information can have many sources -internal, external, manual and computerized- and forms - quantitative and qualitative. The communication can also be internal or external, specific to part of the organization or to the entire organization and can use many communication means. Organizations need to assess their information need in relation to social engineering risk and manage the flow of relevant information through the organization to support the achievement of the social engineering risk management objective; to stop the social engineer. Organizations and environments change over time. For example social engineers will learn new tricks and render implemented controls useless. Therefore the effectiveness of the risk management process and underlying controls need to be assessed and reviewed over time. This can lead to new analysis and possibly changes in for example risk response (Swanborn, P.G., 1990). The assessment can have the form of ongoing and/or periodical evaluation of the social engineering risk management process.
Thus, security awareness training can also go a long way toward preventing social engineering attacks. If people know what forms social engineering attacks are likely to take, they will be less likely to become victims. On a smaller scale, organizations should have secure email and web gateways that scan emails for malicious links and filter them out, thus reducing the likelihood that a staff member will click on one. Staying up to date with software and firmware patches on endpoints is also important, as is keeping track of staff members who handle sensitive information and enabling advanced authentication measures for them.
Swanborn, P.G., De probleemstelling: Een pleidooi voor duidelijke taal. 1990, Sociologische gids. XXXVII(2): p.107-123.
Thiadens, T., Beheer van ICT-voorzieningen; Infrastructuren, applicaties en organisatie. 2002, Academic Service: Schoonhoven. 406p.
Verschuren, P.J.M., J.A.C.M. Doorewaard, and H. Doorewaard Doorewaard, H. and P.J.M. Verschuren, Het ontwerpen van een onderzoek. 2007,
Lemma: Utrecht. 330p