Social engineering is the term used for a broad range of malicious activities accomplished through human interaction. It is defined as the art of exploiting human psychology, rather than the technical hacking techniques. Cybercriminals try to gain access to a system or data. In 2016, 60 percent of enterprises were victims of a social engineering attack. In 2017, small to mid-sized businesses spent an average of $879,582 recovering from cybersecurity damages. Credential compromise has increased by nearly 70 percent since 2017 and reports of data loss have tripled since 2016.
How it works
Social engineers used a variety of techniques to carry out attacks. Almost every type of attacks involve some kind of social engineering. Viruses and phishing scams are the most common. The first step in most social engineering attacks for an attacker is to perform research and reconnaissance on the target and try to gather all the information of the victim, in the next step the attacker plans when and how the plan will execute, next step is to collect the tool required for the attack, the next step attacks, and the last step is the use of acquiring knowledge, which means the information gathered during social engineering techniques.
In this type of social engineering attacks depends upon a victim taking the bait, just like a fish reacting to a worm on a hook, in this cybercriminal leaves a malware infected physical device, such as USB drive in a place where the target will see it. The victim then picks up the device and loads it onto his or her computer, unintentionally installing malware.
Phishing remains the most popular social engineering attack of all due to its high success rate. In this attacker sends a fraud Email masked as a legitimate Email, it often purporting from a trusted source. Intention of sending this type of mail is to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
Vishing is also known as voice phishing. We can also say that it is a voice version of fishing in which V stands for voice otherwise, the scam procedure is same. The criminal uses the phone to trick a victim into handing over valuable information.
A whaling attack is an attempt to steal sensitive information and is often targeted at senior management or other high-profile targets such as politicians or celebrities. The word whaling is used to indicate that the target being pursued is a big fish to capture. Whaling emails are a lot more sophisticated than your run of the mill phishing emails and much harder to spot.
In pretexting one person lies to another person to gain access to personal data. For example in pretexting scam all the attacker pretends like that they need personal data in order to confirm the identity of the recipient.
- Don’t open emails and attachments from suspicious sources.
- Keep your antivirus/antimalware software updated.
- Delete any request for financial information or passwords.
- Set your spam filters to high.
- Be vigilant.
- Use phishing simulation platforms like PhishGrid to train your people for this type of attack.