Social engineering is one of the well-known manipulation techniques that exploits human error to gain access to enterprises or private data. In the internet crime, these “human hacking” scams tend to lure unsuspecting users into exposing information, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via different interactions.
Scams created by social engineering are engineered around how people feel and act. As such, social engineering attacks are particularly helpful for manipulating a user’s behaviour. Once the attacker understands what motivates a user’s actions, they will deceive and manipulate the user effectively.
In addition, hackers try to exploit a user’s lack of cybersecurity knowledge in that way some customers and employees fall in to certain threats, an example is the drive-by downloads in which a user will download a software for free but the particular software has hidden malware.
Generally, social engineering attackers have the below goals:
• Sabotage: Disrupting or corrupting information to cause damage.
• Theft: getting valuables like data, access to systems, or money.
To better understand social engineering, it will be better if we check its lifecycle and how it works:
Most social engineering attacks focus on the real communication between the attacker and the victim. The attacker tends to encourage the user into a real human communication rather that trying to find exploitations or vulnerabilities to hack the systems.
The attack cycle provides cyber-criminals a method for deceiving you. The below steps are usually used in the social engineering attack cycle:
- Information gathering of the victim or information of a bigger group the victim is member of.
- Attacker will try to create a relationship or initiate online or offline an interaction with the victim to build trust.
- Exploit victims information once trust is build and then find the weaknesses that will help him with the attack.
- Once all the necessary information is gathered the attacker will of course disengage the victim and cannot be found ever again offline or online.
Last but not least the attacker will try to gather as many information in every single email or in a series of social media chats or even in a face-to-face communication, for months or even sometimes for years.
Tips on how to spot social engineering attempt and examples on how they give the impression of being a legitimate user, you’ll find in our next blog spot.
For now, keep in mind that social engineering is a form of attack and that most of the times will not even use technology to gather information.
Stay safe and always use backups 😊