Understanding Social Engineering in Cybersecurity
Social engineering is a manipulation technique that exploits human error to gain access to information or valuables. This article explores what social engineering is, examples of attacks, phases of an attack, and how attackers operate through preparation, infiltration, exploitation, and retreat.
Uploaded on | 1 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Social Engineering Cybersecurity Ambassador Program www.iowacyberhub.org/ambassadors
What is Social Engineering? - Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Often plays on emotions such as greed, fear, and urgency. Exploits a users lack of knowledge. - -
Examples of Social Engineering - Victim gets a call from a seemingly legitimate source telling them that their computer is infected with malware, and they must download antivirus software that ultimately gives the attacker access to the victim s computer. This attack uses the victim s fear, sense of urgency, and lack of knowledge. - Victim gets an email saying they won something, and directs them to click a link which then gives the attacker access to their computer. This attack relies on a sense of greed. - Victim receives a text message saying that their bank information has been compromised, and directs them to a link directing them to enter bank information. This attack uses the victim s fear, sense of urgency, and lack of knowledge.
Phase 1: Preparation - Hackers first prepare for the attack by finding victims that possess what they want whether it be money, authorization, confidential information, etc. They gather information through social media and other open sources, which is called open source intelligence (OSINT). Then, based on the information, they craft the perfect attack. - -
Phase 2: Hook/Infiltration - They first look for an entry point such as an email, social media profile, or some other way to get in touch with the victim. Then, they use a deceptive hook which captures the attention of the victim and encourages them to respond. Infiltration can simply be the clicking of an infected link in an email all the way to completely building a relationship with the victim in order to exploit them. - -
Phase 3: Exploitation/Attack - The attack will always look different based on the end goal of the hacker, but can range from stealing data to installing malware on the victims device. The exploitation always requires the victim to make some sort of detrimental action, which is why social engineering is sometimes known as human hacking . -
Phase 4: Retreat - Once the attacker has succeeded, they will disengage with the victim. They often leave little to no evidence behind, making cyber crimes very hard to detect and especially hard to find the culprit. -
Phishing - Phishing, and its variations, are one of the most common attacks used today, and are often overlooked and underestimated. Phishing works by contacting victims (usually through email) with a legitimate looking messages that gets a victim to perform some action. Highly skilled hackers/social engineers can create phishing attacks that are extremely hard to detect the illegitimacy of. - -
Phishing Variations Spear Phishing: Similar to traditional phishing, but where normal phishing has no specific target, spear phishing tailors the attack to a specific person/organization. Whaling: Similar to spear phishing wherein the attack is targeted, but the target is some high profile person, AKA a big fish . Smishing: Phishing, but through text messages. Scammers are often able to spoof (emulate) phone numbers. Vishing: Phishing done over the phone. This attack has become more popular in recent years due to the development of deepfaking voices. Baiting: Attackers lure victims into providing valuable information with the promise of something in return (ex. free music/movie download links, or infected USB that looks enticing). - - - - -
Pretexting & Spoofing - Pretexting happens when someone creates a fake persona or even uses their own role to manipulate others. This is often the cause of internal data breaches (ex. system administrator misuses their power to get sensitive information from workers.) Spoofing happens when a hacker disguises an email/phone number/etc to look like its coming from a verified source, in order to gain trust from the victim. - -
Quid Pro Quo/Tech Support Attack - This attack happens, most commonly, when an attacker pretends to be from some sort of IT company or other tech service provider. They use their fake position of power to steal victims credentials or install malware onto their computer by offering a fake offer (free internet, free virus detection, etc). This plays on people s nature to do something for someone because they did something for you, which is why it is called Quid Pro Quo. - -
Honeytraps/Romance Scams - Attacks create fake dating profiles that often seem too good to be true in order to get something from victims (usually money). They often profess their love quickly and lure victims off of dating apps. They gain trust before asking for money from victims for traveling, medical bills, etc. - -
Grammar & Spelling Mistakes - - While often overlooked, grammar and spelling mistakes can be a big indicator of a scam. Be aware of this in texts, emails, email addresses, website URLs, etc.
Is it too good to be true? - Ask yourself this question when on dating apps or when receiving offers. If it seems too good to be true, it probably is! Trust your intuition. Be wary of anything free, especially if it required you to enter credentials, download something, or sign up for something. Be aware of what you post publicly or what information hackers might be able to access, as they can use it against you. Just because someone knows something personal, doesn t mean they can be trusted! - - -
Is it too scary to be true? - Ask yourself this question when you receive suspicious phone calls, emails, or texts. If it sounds like a common scare tactic (such as getting hacked, having malware, bank withdrawals, etc) it probably is! Trust your intuition. Stay calm! Attackers want to play on your sense of fear and urgency. Think through your decisions before you make them. - -
Dont trust the unknown - - Don t answer unknown or spam calls, texts, or emails. If you get a suspicious message from what looks like your bank, employer, shipping company, etc, NEVER answer the message directly. Call the company yourself to investigate. Remember, it is better to be safe than sorry, so being extra cautious never hurts. -
Citations & Extra Reading - What is Social Engineering? - The 12 Latest Types of Social Engineering Attacks (2024) - 5 Tips to Train Workforce on Social Engineering - How to Teach Aging Parents to Avoid Scams
