What is social engineering and how to resist fraudulent attacks?

“Didn't you immediately realize that you were being called by scammers? I figured it out right away” – have you heard such phrases? In the digital age, we often face the fact that our personal data “leaks”. And it often happens that even the most vigilant and educated people succumb to tricks. And all because social engineering methods are becoming more skillful, more targeted, and technologies are becoming more advanced. A call from a son who got into an accident, or a letter from an employer asking to fill in data to receive a bonus – attackers know our weak points and actively use psychological techniques to get what they want.

In this article, intended for a wide range of readers, we will clearly explain the basic principles and methods of social engineering, its types, as well as ways to protect against fraudulent schemes.

WHAT IS SOCIAL ENGINEERING

Social engineering is a method of manipulation and deception used by attackers to obtain confidential information or access secure systems.

Its origins go back to the times of Ancient Rome and Ancient Greece, when specially trained speakers were popular, who participated in diplomatic negotiations and were able to convince the interlocutor that he was wrong. Social engineering as a method of attacking information systems appeared in the middle of the 20th century. One of the first known cases was the story of Frank Abangals, who in the 1960s pretended to be a Pan Am pilot and flew for free around the world, deceiving airport personnel. His story served as the basis for the film Catch Me If You Can, starring Leonardo DiCaprio.

In the 1980s, social engineering became a common method for hackers to gain access to computer systems. They used manipulation and deception to convince company employees to give them access to secure data. Such deception methods do not always involve technical hacking skills – often, a good understanding of psychology and the ability to manipulate people is enough to be successful.

Over time, the sociotechnical factor has become more widespread and diverse. With the development of the Internet and social networks, attackers have found new ways to manipulate people to obtain confidential information.

Let's look at popular social engineering techniques and methods:

  • Phishing (from fishing) is one of the most common and effective techniques. Attackers send fake emails or messages that look like official requests from banks, companies or government agencies. The goal of phishing is to trick users into providing personal data such as passwords, three digits on the back of a card and other confidential information.

  • Fake calls (vishing, from voice fishing) – this technique involves using phone calls to manipulate people. Attackers may pose as employees of banks, law enforcement agencies or other organizations and convince victims to provide them with personal information or make financial transactions.

  • Information interception, or “shoulder surfing” — is a method in which an attacker monitors the victim's actions in order to gain access to their confidential information. For example, an attacker can monitor the entry of a password or PIN code on the keyboard or screen of a device.

  • Physical access — This technique involves using trust or friendly deception to gain entry into restricted areas or premises. An intruder may slip behind an employee's back into a building or office.

  • Quid pro quo (from Latin quid pro quo — that for this) — an attacker's appeal to a company, for example, with an offer to help solve technical problems. In the process of “solving” the attacker forces the employee to perform certain actions on the work computer, allowing the attacker to gain access to the system. Sometimes employees are willing to share confidential information for some service or reward.

  • Communication engineering — This social engineering method is based on creating a fictitious story or a plausible pretext to gain access to confidential information. Attackers can impersonate company employees or other individuals and convince victims to grant them access to the data.

  • Tossing information carriers (“road apple”) — a method in which an attacker plants a digital storage device in a location where a potential victim can find it. The victim, having found the device, can connect it to their device and automatically grant the attacker access to the system.

CONSEQUENCES OF SUCCESSFUL ATTACKS

The consequences of a successful attack can be catastrophic for both a company and an individual. In the event of a successful attack on a company, the consequences can include leakage of confidential data, financial losses, damage to reputation, and even business closure.

For an individual, the consequences can be just as serious. It can involve theft of personal data, money, access to personal accounts, and even “identity theft.” Criminals can use phone numbers, dates of birth, addresses, and other personal information to gain access to financial accounts, take out loans, or even commit crimes in the victim’s name.

Being aware of social engineering methods and practices will help companies and individuals strengthen their cybersecurity and prevent similar attacks in the future.

SOCIAL ENGINEERING TRENDS – WHAT TO PREPARE FOR

With the increase in online platforms, social media and digital technologies, it is expected that the methods of attackers will evolve in the future.

Here are some trends to expect in the field of social engineering:

  1. Use of artificial intelligence (AI). Attackers are using AI to create more realistic and personalized attacks. AI can help analyze data on potential victims, create fake profiles, and generate more convincing messages.

  2. Multi-platform attacks. As mobile and Internet of Things technologies advance, attacks can be expected to extend beyond computers to mobile devices, smart homes, cars, and other Internet-connected devices.

  3. Phishing via social networks. With the increasing popularity of social media, we can expect an increase in phishing attacks through these platforms. Attackers may use fake accounts or compromised accounts to deceive users.

  4. Social engineering in the cloud. With the growth of cloud computing and cloud data storage, we can expect attackers to use social engineering to gain access to sensitive data stored in the cloud.

PRACTICAL TIPS – HOW TO AVOID FALLING INTO THE TRAP OF SOCIAL ENGINEERS

Let's start with a household list that may be useful to many:

  1. Be vigilant and do not trust unverified sources of information.

  2. Do not disclose personal information, passwords or financial information over the phone or via email.

  3. Verify the authenticity of requests for information, especially if they come from unexpected or unknown sources.

  4. Use strong passwords and two-factor authentication to protect your accounts.

  5. Be careful on social media: don't share too much personal information and don't invite strangers into your social circle.

  6. Monitor your financial transactions and quickly respond to suspicious activity on your accounts.

  7. If you suspect a fraudulent attack, please report it to your bank or the competent security services.

  8. Use the service of mobile operators to block spam calls or caller ID with the function of tracking unwanted calls.

Here are some recommendations for corporate use – things that companies should take care of:

  1. Organize employee training the basics of cybersecurity and how to recognize phishing emails and websites.

  2. Be sure to use antivirus software and update it regularly.

  3. Provide checking and protecting corporate email – Use security tools, spam filtering and checking attachments and links before opening them.

  4. Apply two-factor authentication: to improve security when logging into systems and accounts.

  5. Conduct regular monitoring and updating security systemsincluding firewalls, operating system and software updates.

  6. Develop and implement information security policieswhich will include security incident response procedures and employee training.

  7. Limit access to sensitive data and check access rights regularly.

  8. See you off audits and vulnerability checks in systems to identify possible weak points.

EMPLOYEE TRAINING – HOW TO CREATE CORPORATE MINDFULNESS

The use of platforms for teaching skills of safe behavior on the Internet is becoming an important element of digital literacy. Of the platforms we have tested, we can recommend solutions from Start X and Phishman.

These platforms offer a wide range of resources and tutorials that help users understand the basic principles of online security, learn about common threats, and how to prevent them. They also provide advice on creating strong passwords, protecting personal information, and staying safe when using public Wi-Fi networks.

Using such a platform will help listeners understand the importance of Internet security and acquire the necessary knowledge and skills to protect themselves and their personal information in the online environment.

Employee training is organized through training in online secure work skills and monitoring the level of knowledge gained. In addition, the platform provides the ability to track vulnerabilities in client applications and implements other functions aimed at increasing the level of security in the organization. All this helps to strengthen the protection of data and information, ensuring more reliable functioning of business processes and protection of information confidentiality.

The main courses available on the platforms include training on secure work with e-mail, training on the basics of information security for users, mobile security, physical security, remote work security, rules for secure work with passwords, information protection, use of electronic signatures, secure work with websites (web services). The platforms provide the ability to upload your own courses, specially designed to train employees in accordance with the unique needs of the organization. This allows you to create personalized educational programs and ensure maximum adaptation of courses to specific tasks and requirements of the company.

Some platforms provide functionality for simulating phishing attacks on company employees. These simulated attacks are created taking into account the needs of the Customer and can be unique for each company. After each simulated phishing attack, a report or statistics are available that help analyze the results and adjust training programs for different groups of employees. It is also possible to create new attack templates and edit them.

By using a special educational platform, many daily tasks are automated. For example, you can set a schedule for employee training or for holding certain events. In addition, you can plan simulated phishing attacks, setting the parameters and time for their implementation. Automation of these processes helps optimize resources for security management and personnel training in the organization.

CONCLUSIONS

Social engineering methods remain common methods of cybercrime. It is important to understand that protection against intruders requires not only technical security measures, but also information and training of employees and users, and constant monitoring of threats.

To prevent attacks, it is necessary to conduct security audits, apply advanced security technologies and monitor the latest trends in cybersecurity. Only a comprehensive approach to information security can ensure reliable protection against social engineering attacks and the safety of confidential data.

Author: Evgeniy Novoselov, Senior Engineer, Information Security Automation, UCSB

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *