Social engineering is the act of exploiting people. It can be done by speaking with someone in person, by phone, email, or other means. The goal of a social-engineering attack is often to get a person to do something that they wouldn't normally do (like divulge information). It's called social engineering because the attacker works on engineering human beings. Social engineering attacks use human interaction and information gathering techniques. Social engineering attacks involve manipulating people into performing actions or divulging confidential information that will give the attacker access to information or a system they are not supposed to have access to. While social engineering attacks are often perpetrated by hackers, anyone can fall victim to them, including employees and members of the public. Here’s what you need to know about social engineering and how to protect yourself from them as best you can.
The social engineering attacks can be grouped into three types:
Human-based - These include scams that rely on deception or manipulation techniques like phishing, confidence tricks, phone impersonation (Vishing), security breaches using insider knowledge such as a hacker accessing a victim's computers with their credentials for a financial institution (Credential Harvesting), or any attack where the target relies on his or her judgment in doing business. An example is when callers pretend to be from Microsoft Tech Support but you find out later they are really not.
Mobile-based - These involve attacks targeting wireless networks by exploiting weaknesses in wireless protocols and encryption systems such as Wi-Fi, Bluetooth, GPS location data transmission, near field communication (NFC) technology, radio frequency identification (RFID) tags used to track inventory. These attacks can take place while browsing the web or even at retail stores scanning items you may want to purchase through your smart phone.
Computer-based - These are primarily aimed at compromising personal data stored on personal computers including home networks. Attackers might access databases containing credit card numbers or other sensitive information about victims stored locally by exploiting software vulnerabilities or even cracking passwords offline by guessing them one character at a time until it matches what has been typed so far or eventually finding a match.
The different types of social engineering attacks with Example:
Phishing: The act of sending someone an email that looks authentic but is actually a scam designed to steal information. Example: You receive an email from your bank that asks you for your account number, even though you didn't log in recently or give permission for the company to have it.
Malware Attack: The act of using malicious software like viruses or spyware on the target system, usually without their knowledge. Example: You get a pop-up asking you if you want it scan your computer for malware.
DDoS Attack: A Distributed Denial of Service attack is when more than one system attacks one system with requests at the same time, shutting it down. An example would be when one user starts a fire by setting off fireworks inside another person's house.
Spearphishing: Similar to phishing, except they're targeting a specific person instead of just trying to fool whoever they can into clicking on something dangerous. They may use information they find about the person (i.e., job title) to create messages that seem more believable so they'll click on them and share sensitive information with them. An example would be if someone pretended to be your boss and sent you an email telling you that you needed to provide some personal financial info about yourself because there was an issue with your paycheck this month.
Countermeasures:
