Social engineering is a collection of diverse and evolving manipulation techniques to gain access to personal information, access, passwords, money or other valuables. The phenomenon straddles the line between cybersecurity and psychology, combining insights from both fields. We will allow ourselves to go even further - modern technology and modern diseases of society find an intersection in social engineering.

Social engineering scams are built around how people think and act and serve to manipulate their behavior. A matter of pure psychology, careful observation, invasion of personal space, provocations and playing with human emotions. A kind of "hacking of the human in people".

With the following lines, we will help you imagine how inventive social engineering attempts can be. If you find that you are already a victim, remember, you are a victim until you break out of the vicious circle. A rule of psychology that applies here as well.

How does social engineering work?

Ignorance of this unfolding phenomenon and underestimation of the information resource that each of us practically has or has access to is a convenient opportunity for cybercrime - online, in person and through other interactions. To stay protected from attacks it is important to have critical and healthy thinking. Everyone wants to believe that they will never be fooled by a phishing email or other enticing invitation, and cybercriminals rely on the entire palette of human emotions to play on our egos.

Typically, social engineering towards a specific person or community begins with gathering basic information, interests, behaviors. This process can take place in a single email or over months, in a series of chats, on social media, even face-to-face. Based on this, targeted steps to build trust follow. The attacker looks for weak spots to exploit. Most social engineering attacks rely on actual communication and motivate the user to reveal themselves as much as possible and thus compromise themselves. Underestimating such deliberate communication gives a hacker a path to multiple networks and accounts even by providing minimal, fragmented information.

Psychology of Social Engineering

Social engineering attacks are based on belief and building trust. Credibility is invaluable and essential to believing any story, however improbable.

The emotional flavor of such communication is almost mandatory, because most people are vulnerable precisely in the field of their feelings. Constructed correctly, attacks give dominance and access to a person's inner world and push them to take irrational or risky actions under the influence of emotion. States of fear, excitement, curiosity, anger, guilt, sadness provoke uncertainty, confusion and are the ideal environment for influence.

To the creation of emotional instability is very often added a method characteristic of direct sales - instilling an urgent need and pressure for a quick reaction or decision. Oddly enough, this approach works relatively often. As an alternative, it is sometimes resorted to offering a reward if one reacts promptly. Both approaches reduce the ability to think critically.

Types of attacks

Almost every cyber attack contains some form of social engineering. Phishing is an impersonal and widespread practice that targets many users - attackers impersonate a trusted institution or individual and try to convince you to enter personal data and other valuable information. Spear phishing uses personalized information and is targeted at selected users. "Whaling" attacks are on targets that have the potential to provide high value - celebrities, senior management, senior government officials, etc.

In summary, popular practices look like this:

Phishing: Tactics include fraudulent emails, websites and text messages to steal information

• Spear Phishing: email is used to carry out targeted attacks against individuals or businesses
• Baiting: online and physical social engineering attack that promises the victim a reward
• Scareware: victims are tricked into thinking malware is installed on their computer and that if they pay it will be removed
• Pretext: uses a false identity to trick victims into giving up information
• Quid Pro Quo: relies on an exchange of information or service to persuade the victim to act
• Catch: relies on human trust to provide a criminal with physical access to a secure building or area
• Vishing: urgent voice messages convince victims that they must act quickly to protect themselves from arrest or other risk
• Water-Holing: an advanced social engineering attack that infects the website and its visitors with malware

The common thread connecting these social engineering techniques is the human element. Cybercriminals know that tapping into human emotions is the best way to steal.

Unusual methods of social engineering

Among the curious cases of social engineering, we will single out a few "textbook" examples. The good old classics: USB drives left in public places, email attachments for a free offer or software, or … the attacker impersonates a legitimate employee, a trusted supplier, to gain physical access to a location where information is stored. The latter mostly occur in corporate environments, government offices, etc.

Worm attacks are evergreen in the world of social engineering. With them, the goal is to get the user to click on a link or open an infected file.

The worm Love Letter, overwhelmed the email servers of many companies in 2000. Victims received an email inviting them to open the attached love letter. When opened, the worm copies itself to all contacts in the victim's address book. This worm is still considered to cause some of the most devastating financial damage.

The email worm Mydoom appeared on the Internet in January 2004 and uses texts imitating technical messages sent by the server.

The worm Sven is presented as a message sent by Microsoft. It claims that the attached file is an add-on to the Windows office suite. It's hardly surprising that many people take this seriously and install.

Peer-to-peer networks are also used to distribute malware. A worm or Trojan appears with a name that attracts attention, and it is also very likely that users will not report a potential problem. For example: AIM & AOL Password Hacker.exe, Microsoft CD Key Generator.exe, PornStar3D.exe, Play Station emulator crack.exe or why not Free access to the Internet or mobile communications.

Another example of this technique – a Trojan horse was sent to email addresses taken from a recruitment website. People who registered on the site received fake job offers with a Trojan horse. The attack mainly targeted corporate email addresses. Cybercriminals know that staff who have received the Trojan would not want to tell their employers that they have been infected while they are looking for alternative work.

Recommendations to companies

Changing human behavior happens slowly and requires awareness. The best way to protect is people-oriented through awareness training. Through an in-person simulation experience conducted by experienced IT trainers, employees can truly appreciate how social engineering works.

Finally, work with a partner who is more than just your IT consultant and can understand the unique needs of your company and its people. Expect from him a customized program to raise awareness and psychological resilience to social engineering. You can to trust us.