Cyber Street Smarts: Stay Safe in the Social Space

— -- Cybercriminals depend on the fact that when people are faced with frightening scenarios that they will make impulse based decisions. The human versions of software vulnerabilities are our emotions.

Human-to-human interaction plays a huge role in social engineering, as it is easier to get the user to divulge sensitive information when they think they are dealing with someone they know. Since social engineering is based on human nature and emotional reactions, there are many ways that attackers can try to trick you- online and offline.

Social engineering can be performed in two ways: a single attack, like a phishing email, or in a more complex way that is akin to a "long con":

Hunting

Hunting is the quick version of social engineering attacks. Usually, cybercriminals use phishing, baiting, and email hacking with the goal of stealing as much data as possible from the victim with as little interaction as possible. The attacker may send out hundreds of spam emails and see if anyone "bites."

Farming

A more complicated form of attack; farming is when the cybercriminal will seek out a way to form a personal connection with their target. They will perform some research on their victim by looking for any personal information available online. All they need is a name and they’re off and running. The cybercriminal will then try to form a relationship with their victim based on the information gleaned while researching their target.

Types of Social Engineering Attacks:

Baiting

Cybercriminals rely on the curious nature of people. In this scenario, that curiosity is essential. The cybercriminal will leave a random device such as a USB stick that is infected with malware in a public place, with the hope that someone will pick up the device, and plug it into their machine to see what’s on it. Once it is plugged into the system, the malware will install itself onto the computer.

Phishing

Scare tactics seem to be one of the most popular strategies to try and trick you out of your information, as it presents you with an urgent scenario, usually involving a financial or other online account. It relies on people making decisions based on fear or urgency, rather than thinking about the scenario for a moment. Other versions of these emails can appear to be from an authority figure, such as someone in management from your company, requesting a user name and password so they can log into a system. People tend to naturally comply when a request comes from a coworker, especially if it is someone they think they know.

Email Hacking and Contact Spamming

One of the main reason cybercriminals go after email credentials is to take over the email account and then spam the contacts in the address book. Therefore, the email looks like it is coming from a trusted source, when in reality; it is from a hacked email account. It’s human nature to pay attention to messages we get from people we know. The main objective is to spread malware, trick people out of their personal information and more.

Pretexting

Pretexting is when the cybercriminal fabricates an elaborate backstory in order to create a scenario where they can “hook” their victims. Sometimes it can be a sob story about being stuck in a foreign county, or that they’re a prince in an unheard of county whose parents just died, and he needs 500 dollars in order to gain access to his inheritance. These types of scenarios play on people’s tendencies to be helpful to others in distress. Pretexting is used often in tandem with a lot of the other methods mentioned in this article, as most of these scenarios need some sort of story to catch the attention of the target.

Spear Phishing

Spear phishing is used in tandem with farming, since it is usually targeted at employees of a specific company that a cybercriminal is attempting to steal data from. Once the criminal has completed their reconnaissance on their target, they will then start to send emails that appear to be personally relevant to the victim in order to trick them to click on a malicious link that will redirect the user to a site hosting malware, or download a malicious file that is attached to the message. Once the user takes the bait, the malware is then installed on the computer that is connected to the network, which will allow the malware to spread to other computers and devices within the company’s network.

Vishing

Vishing involves direct human-to-human contact. Also known as telephone scams, the criminal will call an employee within a company posing as a trusted individual, a member of tech support, or they could be posing as a representative from your bank or another company that you do business with. Once they have gained their target’s trust, they will then try to fish for information from their targets such as online account credentials, and personal information.

Social engineering is everywhere, online and in real life. It is so extremely successful because of the one thing involved that you can’t install Internet security software on- the human brain. Your best defenses against these kinds of attacks is to educate yourself on common cyber security practices and learn how to be aware of what red flags to be on the lookout for.