Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people to violate normal security procedures and best practices to gain unauthorized access to systems, networks, or physical locations or for financial gain.
Siber saldırıların %98’i sosyal mühendisliği içeriyor. Bir çalışanı kötü amaçlı bir bağlantıya veya e-postaya tıklamaya teşvik etmek için güvenilir bir kişi kılığına girmeyi, oturum açma kimlik bilgilerini ele geçirmek için güvenilir bir bankacılık kurumu gibi davranmayı veya hedef sistemlere giriş elde etmek için tasarlanmış benzer faaliyetleri içerebilir.
Who do social engineering attacks target?
Of the three main types of social engineering, phishing targets specific individuals and groups. While cybercriminals can use email, text messages, or phone calls to carry out these attacks, some types of phishing are more obvious than others.
In general, you can identify phishing attacks based on:
- An unusual sense of urgency in emails, phone calls, or texts
- Emails with unusual grammatical or expression errors
- Suspicious-looking links in email body
cyber criminals phishing attacks When applying, he usually does research beforehand. They may know the names of their victims and some private personal information, such as previous companies the individuals worked for. The perpetrators then use this information to make the phishing attempt feel legitimate to the innocent victim.
Spear phishing attacks, It is the most targeted type of phishing. It is designed to persuade individuals with high-level access to sensitive data to disclose their identity or otherwise gain access to these data mediums.
Regardless of the type of phishing, these social engineering scams are only effective if users in an organization are not aware of how they work.
Social Engineering Attack Types
An attacker leaves a physical device infected with malware, such as a flash drive, in a place where it is sure it will be found. The target then takes the device and unintentionally installs the malware and places it on their computer.
When a malicious party sends a bogus email disguised as a legitimate email, often appearing to be from a trusted source. The message is intended to trick the recipient into sharing financial or personal information or clicking on a link that installs malware.
3. Spear Phishing
Phishing is similar but the attack is designed for a specific person or organization.
Voice phishing Vishing, also known as vishing, involves the use of social engineering over the phone to collect financial or personal information from the target.
A particular type of phishing attack, a whaling attack, targets high-profile employees such as the chief financial officer or chief executive officer, tricking the targeted employee into disclosing sensitive information.
One party lies to the other to gain access to privileged data. For example, a pretexting scam might involve an attacker pretending to need financial or personal data to verify the identity of the recipient.
This type of attack involves tricking the victim into thinking their computer is infected with malware or accidentally downloading illegal content. The attacker then offers the victim a solution that will fix the fake problem; in reality, the victim is tricked into downloading and installing the attacker's malware.
8. Watering Hole
The attacker tries to endanger a certain group of people by infecting websites they are known to visit and trust in order to gain network access.
9. Diversion Theft
In this type of attack, social engineers trick a delivery or courier company into going to the wrong pick-up or drop-off location, stopping the process.
10. Quid pro quo
This is an attack where the social engineer pretends to provide something in return for the target's knowledge or assistance. For example, a hacker calls a series of random numbers within an organization and pretends to be a tech support professional responding to a ticket. Eventually, the hacker finds someone with a legitimate technical problem and pretends to help him. Through this interaction, the hacker can have the target type in commands or gather password information to launch the malware.
11. Honey Trap
In this attack, the social engineer pretends to be an attractive person to interact with a person online, establish a fake online relationship, and collect sensitive information through that relationship.
Sometimes piggyback Tailgating, also called tailgating, is when a hacker follows someone with an authorized access card into a secure building. This attack assumes that the person with legitimate access to the building is kind enough to hold the door open for the person behind it, assuming they are allowed to be there.
13. Rogue Security Software
This type of attack is a type of malware that tricks targets into paying for fraudulent removal of the malware.
14. Dumpster Diving
This type of attack is a social engineering attack in which a person searches a company's trash can for information such as passwords or access codes written on sticky notes or pieces of paper that could be used to infiltrate the organization's network.
In this type of online scam, a cybercriminal installs malicious code on a computer or server that automatically redirects the user to a fake website, where the user can be tricked into giving out personal information.
How can we protect ourselves from social engineering attacks?
Protection against social engineering attacks requires action by both users and organizations.
Steps to take individually:
Do not open emails and attachments from dubious sources
If you don't know the sender in question, you don't need to reply to an email. Even if you know them and are suspicious of their messages, cross-check and confirm news from other sources, such as the phone or directly on a service provider's site. Remember that email addresses are always fake; Even an e-mail claiming to come from a trusted source may actually have been initiated by an attacker.
Use multi-factor authentication
One of the most valuable pieces of information that attackers look for is user credentials. Using multi-factor authentication helps ensure that your account is protected if the system is compromised.
Be wary of attractive offers
If an offer sounds very tempting, think twice before accepting it as real. Searching for the topic on Google can help you quickly determine whether you're dealing with a valid offer or a trap.
Keep your Antivirus/Antimalware software up to date
Make sure automatic updates kick in or make it a habit to download the latest signatures first thing every day. Check regularly to make sure updates are applied and scan your system for possible infections.
Shrink your Digital Footprint
Your data recorded while surfing the Internet creates your digital footprint. The less you post online and on social media, the harder it is for threat actors to target you. Avoid posting personal information. Even things like real-time vacation photos or your child's school name can be used against you.
Steps to take for your business
Routine security testing through “ethical hacking” helps your organization quickly identify social engineering threats early in their lifecycle. Phishing-prone assets such as email and web applications should be tested frequently to minimize the impact of these threats.
Identity and access management
If cybercriminals steal users' credentials, identity and access management (IAM) controls such as multi-factor authentication can reduce their infiltration into your IT infrastructure.
Your company can also manage social engineering risks by using automated threat detection tools to identify malware or suspicious links embedded in emails. These tools are designed to detect threat signatures and help protect you from phishing threats.
Build a positive safety culture
Only %3 of victims report malicious emails to management. By the time we do, serious damage has already shaken the system. Encourage victims to report potential cybersecurity incidents without fear of the consequences so things can be resolved as soon as possible before things get worse.
Commit to ongoing security awareness training
BT uzmanlarının %60’ından fazlası, yeni işe alınanların sosyal mühendislik saldırılarına karşı en duyarlı kişiler olduğunu söylüyor. Bu nedenle, işe alım sırasında güvenlik farkındalığı eğitimini zorunlu hale getirin.
Keep your site, app and hardware up to date
When hackers notice a vulnerability or weakness in a web page, they can infect that page with malware. This would then quickly affect all users in what is known as the Watering hole attack. Make sure you keep your anti-malware tools, email spam filters, and firewalls up to date.
Examples of Social Engineering Attacks in the World
Perhaps the most famous example of a social engineering attack is the myth that the Greeks won the war by sneaking into the city of Troy and hiding inside a giant wooden horse that served as a symbol to the Trojan army. Trojan WarIt comes from.
Once over “World's Most Wanted Hacker” known as Kevin Mitnickconvinced a Motorola employee to give him the source code for the company's new flip phone, the MicroTAC Ultra Lite. It was 1992 and Mitnick, who was on the run from the police, was living in Denver under a pseudonym. At the time, he was concerned about being followed by the federal government. Mitnick released the source code to hide his location from the authorities. Motorola MicroTAC Ultra Lite used it to hack and then tried to change the phone's identifying data or turn off the ability of cell phone towers to connect to the phone.
Mitnick called Motorola to get the device's source code and was contacted by the department working on it. He then convinced a Motorola employee that he was his colleague and persuaded that employee to send him the source code. Mitnick was eventually arrested and spent five years in prison for hacking. Today he is a multimillionaire and author of a series of books on hacking and security. A sought-after speaker, Mitnick also runs the cybersecurity company Mitnick Security.
Social Engineering Attacks Most Commonly Encountered by Employees
1. Falling in love with freebies
Take a look at your endless marketing emails inbox and you'll find a host of free content or 'special offers' discounts. While many of us doubt how 'special' these offers are, most employees can't resist the temptation of free treats. The problem is that nothing is truly free.
This is exactly why we see the old social engineering gimmick "Free Software" still circulating and employees still falling for it. The software being downloaded may actually be something that is free. However, visiting the malicious website has risks, which may lead the user to download infected or compromised software.
Your employees may be at even greater risk when visiting sites that offer 'packaged' software; which means they may have to download additional software they don't need just to get what they want.
Encourage your employees to check if your company has already licensed the software. If not, visiting the software vendor's website is a simple but effective way to make sure they do indeed offer this software and that you are downloading it from a legitimate source.
2. “But it looked real?!”
Perhaps even more obvious (which still fools employees all too often) are work-related emails that look real or official. Subject lines can be very important for these emails, as lines like “Attached Invoice,” “Here is the file you need,” and “See this resume” are some of the more successful types.
While fraudulent business emails can be difficult to detect, 'consumer' emails on topics such as card notifications or social networking accounts can be equally damaging to your company. If an employee clicks on an email that wants to reset their password for their personal account, they probably don't look closely where the email came from, which could result in their computer being infected or compromised.
A quick and easy method of checking the authenticity of an email is for the user to hover their cursor over the sender's email address before clicking any link.
The risk of an employee exchanging sensitive information as a result of this kind of social engineering can also be avoided by using a secure file transfer system, so you know where the file came from and if it has been reviewed. Users should also be informed that any file that asks the recipient to enable 'macros' should be reported as this could result in a system hijack.
3. Browsing social media while working
When employees choose to browse Facebook, Twitter, and other social platforms while on the job, the door can open wide for cybercriminals. Social media is the most common component of a social engineering attack, one of the main reasons for which many employees are unaware of the potential risks that arise from a daily activity for most of us. Add to this the lack of security awareness training focused on social media use, and you have a recipe for a successful attack.
The uptrend of mobile workforces has also seen an increase in the use of social platforms on company devices, exacerbating significant risks to an organization.
4. Accepting fake LinkedIn invites
One of the latest scams that is growing in popularity is the promotion of fake employee accounts used to gather information on LinkedIn. For example, someone pretends to be a known member of your organization (usually a project team or company manager) and creates a fake LinkedIn account. The scammer connects with a user in your organization and then starts communicating via message.
For an employee, a company executive contacting them and asking for details about the company may mean that this perceived sense of importance and urgency overshadows any doubt. The danger is that the employee unwittingly gives sensitive information to a cybercriminal and that information is then used in a broader campaign targeting the company through possible targeted phishing.
Due to the high volume of connection requests we receive through LinkedIn, it can be difficult to avoid accepting fake accounts. One possible step is to encourage employees to email the business address of the person they contacted within their organization (if that person wants information).
5. Fake IT Support
Another common social engineering tactic is pretending to be IT Support. If successful, this can drastically impact a network. This type of attack is very successful as it can gain the attacker physical access to network computers.
It can only take a few seconds for someone to compromise a computer with physical access. One of the most common tools a social engineer uses is a USB flash drive, which is very small, easy to hide, and easily loaded with different kinds of payloads depending on the task that needs to be done.
6. Changing Passwords
This type of social engineering relies on calling the help desk support of a business and asking them to change the password of the person they're posing. It is very difficult to determine if the person is legitimate as this is a vishing method, people can be easily manipulated over the phone as you can only hear their voice.
Often times, a social engineer masquerades as a senior employee, such as a manager or CEO. After all, they're the ones who have access to the most important thing a business has, money and data. After changing the password, they can access whatever they want, but the fact that the actual employee cannot access it makes it even more difficult to regain access and terminate the social engineers.
7. Drop a name
This social engineering method is very difficult to spot because an email mentions the name of a trusted colleague. If an email contains someone's name, you assume it's not from a social engineer.
Just like any social engineering scam, this one is based on your emotions, once you trust someone you will do whatever they want. Even if it means giving your credentials or password. The problem is, you have no idea who is sitting behind the screen that sent you that email.
- What is the most common social engineering attack?The most common social engineering attack is the Phishing attack.
- What is a phishing attack?Phishing is a form often used to steal user data, including login credentials and credit card numbers. It's a social engineering attack.
- What is the scope of cyber security awareness training? Who should receive this training?This training includes the process of educating employees on different cybersecurity risks and threats and potential vulnerabilities. Employees should learn best practices and procedures for keeping networks and data secure, and the consequences of not doing so. These consequences can include the loss of one's job, criminal penalties, and even irreparable damage to the company. Cybersecurity professionals can support this potential vulnerability by informing employees of the extent of threats and what is at stake if security fails.
- What should you pay attention to when opening unknown e-mails?
- An unusual sense of urgency in emails, texts
- Emails with unusual grammatical or expression errors
- Suspicious-looking links in email body