This is Part Two of our 3-part series on Social Engineering. In this blog, we discuss 5 social engineering attacks you should be aware of.
From our previous blog, we know objectively that SE is the act of tricking a person into doing something against their will. The context behind SE activities can be good or bad. But it is obvious that the intent behind the social engineering activities employed by hackers is always malicious. Cyber criminals use social engineering attacks to prod their victims into:
- Interacting with their malicious links, spoofed web pages or email ids, or email attachments.
- Releasing funds or taking key decisions in the favour of the criminal.
There are 5 Social Engineering Attacks that hackers use to target their victims.
Business Email Compromise (BEC) is when someone engineers fake email communication into a valid email stream. The emails are carefully doctored to look like and more importantly, ‘feel’ like authentic, everyday emails so no one suspects the validity of the instructions or content of the emails. BEC attacks show the meticulous research and patience of hackers, thereby revealing how dangerous they can be.
But besides business communication, similar email hacking can also take place person to person. For example, your colleague at work sent you an amusing video link that ‘you might enjoy’. This colleague is known to send entertaining email forwards. The words in the email are exactly how that person would write them. How long will you think before opening such an email?
Phishing is the act of getting access to sensitive data by getting the victim to click on a phishing link, submit a form on a spoofed page, or open / edit a document that triggers a malware macro. It falls under social engineering because getting the victim to ‘bite’ the phishing trap requires creating situations of panic or happiness that make the target forget all caution.
A phishing attack is only as strong as the bait that the criminal places before the target.
This is the psychological manipulator that can make or break a phishing attempt. Baiting is the act of presenting to the phishing target a scenario that will cause feelings of stress or urgency or feelings of cheer. In either case, the criminal needs the bait to connect with the victim at an emotional level.
An email saying, ‘We are freezing your account until you re-enter your details’ causes urgent anxiety in the victim. An email along the lines of, ‘You have won the lottery!’ makes the victim elated at the news. A more recent, relevant example would be an email with a subject such as, ‘Covid Vaccine Found’. (Read more on our blog on Covid Phishing.)
Whereas some phishing attacks can be sent out to a bunch of victims with a ‘whoever bites’ attitude, baited phishing attacks require more study and research about the victim.
Vishing or Voice Phishing is phishing over the telephone. You are interacting with the scammer through a telephonic call. Cyber criminals use a number of ruses to make their act more convincing for you.
We all use different voice parameters in our daily verbal communication. Imaging if you are quarrelling. What is the volume of your voice? Or imagine if you are nervous about a presentation you are giving. How fast are you speaking? How steady is your rhythm of speaking if you’re confident about your subject? Even the average person can identify the changes in rhythm, speed, volume, and pitch and the emotional states they map to.
A social engineer will modulate their voice to alter your emotional state. They will fake authority, jovialness, or even some fear to get you to give up the information you’d otherwise guard and protect.
Pretexting, in a nutshell, means putting on an act. The criminal will adopt a special persona while interacting with you. They will make their character sympathetic or authoritative so you believe their theatrics. A good pretext will be so planned so well that you won’t even think that the person at the other end is anyone else but who they say they are.
Unfortunately, cyber fraudsters are pretty good at this.
A common example of this would be someone posing as a citizen of Nigeria, looking for donations to help them unfreeze their frozen bank accounts. They promise that once they are back in control of their money, they will reimburse all your money plus an added bonus.
Now you have the know-how of social engineering attacks. But how do you spot an SE attack before it’s too late? Find out in Part Three of the series.