Social Engineering

This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

Introduction

Social engineering is a broad range of malicious activities accomplished through psychological manipulation of people into performing actions or divulging confidential information. Social engineering, sometimes called human hacking, is a broad category of different types of attacks.

Back

Next

Restart

Spear Fishing/Whaling

Social Engineering Attacks On the Rise

Scareware Ransomware

Dumpster Diving

How to Mitigate Attacks

Baiting

Pretexting

Shoulder Surfing

Phishing

Conclusion

Tailgating

< Click the USB drive to pick it up.

Baiting is using a false promise to gain a victim’s interest to lure them into a trap that steals their personal information or infects their systems with malware.

Shoulder surfing is looking over someone’s shoulder while they are using a computer and visually capturing logins or passwords or other sensitive information.

< Click the phone to view the photo.

Pretexting is when an attacker establishes trust with their victim by impersonating persons who have right-to-know authority and asks questions that appear to be required to confirm the victim’s identity, but through which they gather important personal data.

Click the phone to answer it. >

Dear valued customer,  We have received notice the you have recently attempted to withdraw the following amount from your  account while in another country: $174.99 Please visit our website via the link below to verify your personal information.

Click the link above to continue.

http://www.trustedbank.com/gen/custverify.asp

Phishing is designed to get victims to click on links to malicious websites, open attachments that contain malware, or reveal sensitive information.

Hi Frank, Hope your day is going well. I need to send out a same day UK to UK faster payment immediately.  Kindly email me the required details you will need to send out the payment. Kind regards, Richard

< Click the Reply button to continue.

Reply

Routing #: 1740937

Spear phishing is more targeted version of the phishing, in which an attacker chooses specific individuals or enterprises and then customizes their phishing attack to their victims to make it less conspicuous. Whaling is when the specific target is a high profile employee such as a CEO or CFO.

Account #: 9371046

Richard Bronson Faster Payment

< Click the Call button to continue.

Call: 44-8000-903-274

Scareware and ransomware. Scareware is when victims are deceived to think their system is infected with malware and receive false alarms prompting them to install software that is not needed or is itself malware. Ransomware is when victims are prevented from accessing their system or personal files until they make a ransom payment in order to regain access.

**YOUR COMPUTER HAS BEEN BLOCKED** Your computer has alerted us that it has been infected with a virus and spyware. The following information is being stolen: > Facebook Login > Credit Card Details > Email Account Login Please call us within the next 5 minutes to prevent your computer from being disabled.

Click key card to continue.

Tailgating is when an attacker who lacks the proper authorization follows a victim with authorized credentials through a door or other secure building access point into a restricted area.

Click the bag to continue. >

Dumpster diving is a technique used to retrieve information that could be used to carry out an attack on an individual, a company and a company’s computer network. Seemingly innocent information like phone lists, calendars, or organizational charts thrown in the trash as well as items like access codes or passwords, can be used to assist an attacker using social engineering techniques to gain access to the company and the company’s computer network.

Stay aware of your surroundings – Be skeptical of links to web forms that request personal information, even if the email appears to come from a legitimate source. Never click on or enter sensitive information into a pop-up.

1

Think before you act - Never share personal information over the phone, email, or on unsecure websites. Do not click on links, download files, or open email attachments from unknown senders.

3

2

Keep your accounts and devices safe - Use anti-virus software, and spam filters, and update and patch your devices regularly.

Click each item below for more information.

There are several ways you can decrease your chance of being exploited by a social engineer:

People by their nature, want to trust and that makes them vulnerable to social engineering. Attackers use this knowledge to exploit people through social engineering. Therefore, social engineering is extremely effective as a means to gain access to sensitive information and systems. In fact, in penetration tests social engineering tactics are usually sited as the most vulnerable point of an organization and their systems.

All the physical barriers, correctly configured network hardware, access controls, and patched software in the world cannot prevent social engineering. Awareness and training of individuals and employees about social engineering and the various techniques used by attackers are the best defenses to combat social engineering.