Blog Post
Interesting and Relevant Articles on Cyber Safety
What Is Social Engineering?
While some cyberattacks are highly technical and committed behind the scenes, others are accomplished using unsophisticated methods right out in the open. These kinds of cyberattacks usually take the form of emails and other types of communication, and in order for them to work, a user has to be convinced to perform some type of action, such as sharing personal information or clicking on a link or attachment. With such cyberattacks, the cybercriminal––hacker––uses social engineering disguised as normal human interaction to persuade the user to perform the action necessary to complete the cyberattack.
Social engineering is a broad term that includes all of the many ways hackers attempt to manipulate potential victims. During social engineering attacks,
hackers typically use a non-aggressive approach and often present themselves as someone with knowledge and authority who is simply trying to help. Social engineering often involves spoofing, a tool hackers use to disguise themselves and to appear as though they are legitimate. Using spoofing, a hacker can convince a user to provide just enough information to allow the hacker to gainaccess to the user’s device or the sensitive information stored on it. Through social engineering, hackers can access networks, data, physical buildings, sources of money, information, and other targets using psychological manipulation rather than the technical expertise commonly associated with sophisticated cyberattacks.
Cyberattacks using social engineering come in a variety of forms, including the following:
- phishing –attacks carried out via email in which hackers impersonate legitimate individuals or organizations.
- spear-phishing – phishing attacks that target a specific individual or organization.
- CEO fraud–a version of spear-phishing that involves a hacker impersonating a senior executive within an organization’s hierarchy in order to convince another high-level employee to perform a given action or provide certain information.
- vishing – a form of phishing in which the hacker uses voice calls instead of emails.
- smishing – a form of phishing that uses text messages instead of emails.
- whaling – phishing attacks that are specifically directed at high-level targets.
- pretexting - a ploy by a hacker in which the hacker claims to have a stated reason for doing something when they actually have a separate, hidden reason.
- baiting – an attack that includes the promise of some kind of reward if a certain action is performed
- quid pro quo – an attack that involves a hacker offering the user something in exchange for something from the user.
- honeytrapping – an attack in which a hacker uses fake photos and information to present themselves as someone looking for some type of romantic or interpersonal relationship and lures the target into believing the fake person is real.
- tailgating – a real-world scenario in which an unauthorized person physically follows an authorized person into a restricted area within a building.