Episode #12: What is Social Engineering?
Social Engineering sounds like a strange lovechild of Social Studies and Electrical Engineering. In truth it's a manipulation tactic that's widely used by cyber criminals. With the help of our AI friend, we discover what it is and the red flags that you should plant in your brain.
Episode #12: What is Social Engineering?
What is Social Engineering?
Social engineering refers to a type of manipulation or deception used by attackers to trick individuals into disclosing sensitive information or performing a certain action. This can take the form of phishing scams, pretexting, baiting, or other tactics that exploit human trust and emotions. The goal of social engineering is to gain access to sensitive information or resources, such as login credentials, financial data, or confidential company information. It is important to be aware of these tactics and to be cautious when giving out personal information or clicking on links in unexpected messages.
Can you provide some examples of different social engineering tactics and how they were used in a cyber attack?
Phishing: This is one of the most common forms of social engineering, where attackers send an email or message that appears to be from a legitimate source (such as a bank or company) in order to trick the recipient into providing sensitive information or clicking on a malicious link. For example, in 2016, attackers sent emails to employees of a large US company that appeared to be from the company's CEO, requesting the employees to transfer money to a specific bank account.
Baiting: This tactic involves offering something of value to the target, such as a free download or prize, in order to trick them into providing sensitive information or installing malware. For example, in 2013, attackers used a baiting tactic to trick users into downloading a malicious mobile app that appeared to be a legitimate game, but actually harvested personal information and sent it to a remote server.
Pretexting: This tactic involves creating a false sense of trust or authority in order to obtain sensitive information. For example, an attacker may impersonate a bank employee or law enforcement officer in order to trick a target into providing personal information or account details.
Scareware: This is a type of social engineering that involves tricking users into believing their computer is infected with malware, and then offering to sell them a fake anti-virus software to remove it.
Vishing: This is another common social engineering tactic in which attackers use phone calls to trick individuals into revealing sensitive information. For example, an attacker may call a person pretending to be from a bank or other financial institution and ask for account information and personal details.
It's important to note that, these tactics are used in different ways and combinations to achieve the end goal of stealing sensitive information. It's important to be aware and cautious when receiving any unsolicited emails or phone calls and never giving out personal information without verifying the identity of the person first.
I received an unsolicited call from someone at Microsoft saying that my PC was infected with a virus. Is this legitimate? The situation sounds similar to Scareware.
It is unlikely that this call is legitimate. Microsoft and other reputable companies do not typically make unsolicited phone calls to inform individuals that their computer is infected with a virus. This is a common tactic used by scammers, known as "tech support scams" where they try to trick individuals into giving them remote access to their computer or paying for unnecessary technical support services.
If you receive a call from someone claiming to be from Microsoft or another company offering to help you with a computer problem, it is important to be skeptical and not to provide any personal information or allow remote access to your computer.
You can verify the legitimacy of the caller by contacting the company directly using contact information from a reputable source such as their official website or phone directory, and verify the information provided by the caller.
It's also important to be sure that your computer is protected with up-to-date anti-virus software, use a firewall and keep your operating system and other software up-to-date with the latest security patches.
How can I identify Social Engineering tactics? Are there any phycological tactics I should look out for?
There are several tactics that attackers use in social engineering, and they can be difficult to identify. However, there are some signs to watch out for:
Urgency: Social engineers often try to create a sense of urgency to pressure the target into making a quick decision. This can take the form of a fake deadline, a warning of an impending security threat, or a sense of exclusivity.
Authority: Social engineers often try to create a sense of trust by impersonating someone in a position of authority, such as a bank employee, a government official, or a company representative.
Personalization: Social engineers often try to create a sense of familiarity by using personal information about the target, such as their name, address, or phone number.
Flattery: Social engineers often try to create a sense of trust by flattering the target, such as offering a prize or a special deal.
Emotion: Social engineers often try to create a sense of fear, greed, or curiosity in the target in order to manipulate them into taking a certain action.
It's important to be aware of these tactics and to be cautious when giving out personal information or clicking on links in unexpected messages.
In terms of psychological tactics, social engineers often rely on cognitive biases such as the authority bias, social proof bias, and scarcity bias to influence the target's decision.
The authority bias is the tendency to follow the authority figures, social proof bias is the tendency to conform to the actions of others and scarcity bias is the tendency to want something more when it is less available.
Be aware of these cognitive biases and to think critically when faced with a decision or request for personal information.
It's also important to be skeptical of unsolicited messages or phone calls, and to verify the identity of the person before providing any personal information.
You mention that Emotion is used in Social Engineering. Do hackers and scammers try to start relationships with people?
Yes, hackers and scammers may try to establish a relationship with their target in order to gain their trust and manipulate them into providing sensitive information or performing a certain action. This is often referred to as "spear phishing" where the attacker targets a specific individual or group of individuals, rather than a general population.
They may use various methods to establish a relationship, such as:
Social media: Attackers may use social media to gather information about the target, such as their interests and hobbies, and then use this information to establish a connection.
Email correspondence: Attackers may use email to establish a relationship over time, by sending a series of seemingly harmless messages that gradually build trust.
In-person interactions: Attackers may use in-person interactions, such as attending a conference or trade show, to establish a relationship with their target.
Romantic relationships can also be used as a tactic in social engineering, known as "romance scams" or "catfishing". In this type of scam, the attacker creates a fake online identity and uses it to establish a romantic relationship with the target. They may use the relationship to gain the target's trust, and then use this trust to extract money, personal information or other resources from the victim.
These types of scams often involve a lot of emotional manipulation, and the attacker may make the victim feel that they are in a serious relationship with them. They may use photos and fake personal information to create a convincing persona.
It's important to be cautious when meeting someone online and to be skeptical of anyone who seems too good to be true. It is important to take time to get to know someone before sharing personal information or sending money. If you suspect that you may be a victim of a romance scam, it is important to report it to the authorities.
It's also important to be aware of the signs of a romance scam, such as:
Asking for money or financial information
Pressure to move the relationship forward quickly
Unusually attractive or successful persona
Avoiding video calls or meeting in person
Asking for sensitive information or to perform a certain action
Be aware of these tactics, so you don't fall into these traps.
I believe in love! What if I scare them away because I won’t send them money?
It's completely normal to be cautious when it comes to sharing personal information or sending money to someone you've never met in person. If someone is truly interested in a romantic relationship with you, they will understand and respect your boundaries.
It's important to remember that scammers often use romance as a way to gain trust and manipulate their victims. They may pressure you to move the relationship forward quickly, or ask for money or financial information.
If you are unsure about the person's intentions, you can always ask for their phone number and call them or ask for a video call. You can also ask them to meet you in person, and if they refuse, it's a red flag that something is not right. Trust your instincts and be cautious.
Imagine you are looking at the dating profile of a relationship scammer. Can you describe what you see as if it was a Steven King horror novel?
As you scroll through the dating profile, your heart skips a beat as you come across a picture of a stunningly beautiful person. Their eyes seem to gaze into your soul, and you can't help but feel a sense of familiarity. But as you read through their profile, a feeling of unease begins to wash over you.
Their profile is sparse, giving little to no personal information about themselves, as if they are hiding in the shadows, waiting for the perfect moment to strike. You notice that the grammar and spelling on their profile is poor, like a twisted and twisted language coming from a nightmare, making you question their authenticity.
Suddenly, you are hit with a message from this person, their words are sweet and full of promises but with a hint of urgency. They want to meet you, they want to know you, they want to love you, but they need your help. They need you to send them money for a flight, for an emergency, for something that seems too good to be true, and you can't shake off the feeling that you're being watched, that someone is pulling the strings behind the scenes.
As you scroll through their pictures, you realize that they all look too good to be true. They're all models, all too perfect, as if they're not real people but a figment of a twisted imagination. The more you read, the more you feel like you're falling into a trap, like a bait on a hook, and you can't help but feel like you're being watched, like the scammer is always one step ahead.
You try to shake off the feeling of dread, but it clings to you like a thick fog, making it hard to breathe. You realize that you're dealing with a master of deception, a master of manipulation, and a master of fear. This is not a dating profile, this is a horror story, and you're the main character.