Each of us has heard about cybercriminals who use their technical knowledge to attack protected computer systems and cause sensitive data leaks. However, it is worth remembering that today’s network attacks take on a completely new dimension. More and more is being said about social engineers, i.e. people who manipulate human psychology in order to persuade them to take certain actions and provide access to confidential information. What are social engineering attacks, what techniques are used by criminals and how to defend against them?
Social engineering attack – what is it?
Social engineering, also known as social engineering, is a set of techniques designed to persuade society to take certain actions as a result of skillful manipulation of their psyche. In the IT space, social engineering is used by cybercriminals who are interested in stealing our identity or money, as well as extorting sensitive data, which can then be used for specific actions, e.g. taking out a bank loan.
The goal of a hacker who carries out a social engineering attack is therefore to persuade the victim to perform a specific activity, e.g. to provide login data to a bank account or a password securing a computer system. It is worth noting that people who use social engineering methods often assign themselves a false identity and try to impersonate a bank employee or computer service technician. To obtain the desired data, cybercriminals use various methods and communication channels, including:
- telephone conversations;
- emails and SMS messages; fake websites;
- messages sent on internet portals.
Social engineering attacks – types
The growing importance of cybersecurity in recent years means that social engineering, and the social engineering attacks associated with it, are taking on more and more forms today. Among the most common social engineering attacks on the network, we can mention:
- phishing – an attack usually carried out via email. Its task is to use the victim’s fear to prompt them to react as quickly as possible and provide sensitive personal data, such as name, address, bank account number;
- vishing – this is a variant of phishing in a voice version, specifically in the form of a telephone conversation. The attacker impersonates a bank institution employee or investment advisor and manipulates the interlocutor in such a way that they reveal sensitive data to him;
- pretexting – pretexts are another form of social engineering focusing on the creation of an invented scenario by a hacker, thanks to which he can support the demand for obtaining confidential information. Such attacks are largely carried out during a telephone conversation, during which the attacker impersonates a customer or employee of a given company and demands access to sensitive data to confirm the identity of the interlocutor;
- spoofing – a type of attack during which the criminal impersonates banks, financial institutions and state offices in order to extort personal data or money from the victim. During such an attack, hackers counterfeit the domain of a real company and send emails to customers through it. The attacker manipulates the victim’s psyche in such a way that they start to believe that the message comes from a real source;
- bait – this attack in many ways resembles phishing, but with the difference that the bait uses the promise of obtaining certain goods or benefits to lure the victim in this way. Bait attacks can concern, for example, the offer of free music or movie downloads in exchange for providing login data;
- romance scams – during such an attack, criminals use manipulation techniques to establish a close relationship with the victim, in order to achieve their main goal, i.e. data extortion and money theft.
Social engineering attacks on the network – examples
What can social engineering attacks on the network look like in practice? All we have to do is imagine a situation in which we receive a phone call from a person who claims to be a service department employee in a computer company. The caller uses complicated phrases, thanks to which he tries to convince us that our computer has been infected, and the lack of any action will result in the loss of important data. The “specialist” comes out with help and asks to provide remote access to the computer to repair the computer or encourages the installation of security software. If we succumb to this manipulation, the hacker will achieve his goal and gain control over our computer system.
Another example is hackers sending fake emails that are intended to prompt the user to perform a certain action, e.g. logging into a bank account using the sent link. Cybercriminals then try to arouse fear in the recipient and inform him about the consequences associated with not performing a certain activity, e.g. losing access to the account.
How to protect yourself from social engineering attacks?
Social engineers skillfully manipulate our feelings to carry out their plans and lead us into a trap. How can we defend against their attacks?
- If you notice something disturbing during a phone call, try not to communicate more with the interlocutor and ignore messages sent by him.
- Never rush – there is a high probability that the person who is putting pressure on you or telling you to bypass certain procedures is a cybercriminal.
- Pay attention to the social engineering tricks used by the hacker, including arousing fear, curiosity, excitement or intimidation in order to obtain certain benefits.
- Think several times before you click a link and open an attachment. Unfortunately, one wrong move can infect the entire device.
- If you feel that you are experiencing a social engineering attack, immediately contact the technical support of the company under whose employee the attacker is impersonating.
