Frauds and scams have existed for as long as human civilisation itself. The earliest recorded scam dates back to 300 BC in Greece as a bottomry scam—an ancient insurance scam for a ship. In this new age and era of digitalisation, these crimes don’t stop. They simply change form and now appear in the form of cybercrimes and, more dangerously, social engineering attacks. Social engineering attacks are a vicious form of cyber-attacks where the threat does not target technology but the user itself. Getting to know this threat in detail is the first step towards shielding ourselves from it.
Understanding how social engineering attacks work
Social engineering attacks prey on the trust of unsuspecting users to obtain data and private information from victims. These attacks manipulate victims into disclosing personal information. This information helps the threat actors, the ones carrying out the attack, gain access to protected networks and spread malware.
Usually, these attacks have one of two goals in mind: (a) sabotaging or corrupting data or (b) theft of sensitive information such as passwords or account details.
Social engineering attacks follow a basic formula:
- The threat actor gathers background information and necessary details to carry out the attack.
- Then, they establish a relationship with the user. They create a false sense of security for the user, making them responsible for compromising their data.
- The threat actor withdraws from the situation as soon as the attack is complete.
Now, doesn’t that sound like gaslighting at its digital finest? This entire process can take several months or a single phone call or email. The worst part is that most people do not possess in-depth knowledge of the software these scammers use, which is precisely what these scammers bank on. Knowledge is power, and these threat actors know how to wield it.
Types of social engineering attacks
Social engineering attacks take on various forms, each as menacing as the next. Here is what their calling cards look like.
● Phishing
If you want to know just how effective and dangerous social engineering attacks are, look at Google and Facebook. That’s right, Google and Facebook, two technological powerhouses, fell for a $100 million phishing scam. Between 2013 and 2015, Evaldas Rimasauskas, a Lithuanian man, and his team set up a fake computer manufacturing company. This company claimed to work with the two powerhouses and sent phishing emails to Google and Facebook employees, invoicing them for services. They then deposited the money directly into fraudulent bank accounts. In 2019, Rimasauskas received a 5-year prison sentence.
Among social engineering attacks, phishing is the most common. For instance, 91% of data breaches occur due to phishing. Phishing scams are usually done through emails, social media, or phone calls and appear legitimate on the surface. Scammers pretend to be trusted individuals or institutions and persuade the user to give up private information by creating a situation in which it seems logical for the user to provide their data.
There are two types of phishing scams:
- Spam phishing is carried out on a wide scale and targets multiple users at once through fake forms or links. It’s more effective than you think!
- Spear phishing targets a specific individual to draw out confidential information such as bank details.
● Malware-implementation
Have you ever opened a link or a website, and it throws you to a landing page with blaring red messages claiming that you have a virus on your device? And that you need to download or press something to get rid of the alleged virus on your device? I know you have; let’s not pretend otherwise.
What you witnessed and what made you panic the first few times you saw it is called scareware. It exploits the user’s fear by using fake threats of malware or viruses. Then, the hacker makes the user provide access to personal data to “fix” the malware. They may even dare to deceive the user into installing software that is actually malware.
“Congratulations! You’ve won an iPhone 14!” Have you, really? Another form of malware implementation is Quid Pro Quo. Scammers often use this tactic on users that have signed up for giveaways by sending them carefully crafted emails or social media messages. These messages inform users that they have won something or are eligible for a reward if they share their personal information. Again, we’ve all seen our fair share of these. Deceptively alluring, aren’t they?
● Watering hole attacks
This trick is a form of spam phishing. It involves infecting popular online spaces with destructive malware, which impacts many users and devices at once. This form of attack requires a lot of careful planning on the hacker’s part, as it requires them to hunt for weaknesses within the functioning of a website to hack it.
An example of this happened in 2017 when hackers infested a Ukrainian government website. The users who had unwittingly downloaded the malware had their hard drives erased.
Defence strategies against social engineering attacks
Now, if I’ve scared you enough by telling you all about these attacks, here’s how you can protect yourself and your data from them:
Being wary of online interactions
Learn to differentiate between social engineering attacks and regular social interactions. When interacting with a stranger online, be wary of their behaviour and always think before responding. For example, ask yourself if the person you’re interacting with is intently pursuing a particular line of questioning geared towards action from your side. Also, check the validity of website links sent to you before you click them. Finally, always follow your gut instinct if an offer is too good to be true or a person is acting particularly untrustworthy.
Introduction of security risk awareness training
Organisations need to emphasise the importance of cyber security and risk awareness training for their employees. In addition, companies should establish security policies and an effective plan of action that prepares employees at every level to make sound decisions when faced with a social engineering attack.
This practice should also be introduced at the school level. The internet is a great tool to educate and entertain children. However, this digital accessibility offered to children makes them especially vulnerable to cyber-attacks. Therefore, schools should introduce cyber-vigilance and practise safe internet behaviour from a young age.
Proper layering of antivirus applications
Scammers evolve with every technological advancement too. People often rely on basic antivirus applications as their primary form of protection, but they are not enough. A multi-layer approach to antivirus is more effective in protecting against and preventing the spread of malware on different levels. Furthermore, this approach ensures that the malware never reaches sensitive data.
Social engineering attacks are particularly malicious because they exploit a core part of human experience: the inclination to trust others. As we gain more knowledge about the risks of being online, observing safe internet practices has become more critical now than ever. These practices protect not just your data but also yourself and others around you.