How Is Your Data Being Stolen
23.02.2022
Social engineering is a term used to describe a large amount of malicious manipulation of people's private data. All social engineering actions are carried out by other people and involve not only technological but also psychological methods, with the help of which personal information is obtained or cybersecurity errors are made, which were designed for subsequent attacks.
Social engineering attacks occur in one or more stages. First, the attacker chooses a victim and collects the necessary background information about her. Then he gets into close contact and, using psychological techniques and communication, stimulates the victim to voluntarily share private data or give access to the attacker.
The biggest danger of social engineering is human error. No hacks, vulnerabilities, and gaps in data protection can be compared in destructiveness with a leak due to the human factor. Such errors are more difficult to track down and liquidate because they are unpredictable and it is impossible to prepare for them.
Social engineering attack methods
Social engineering attacks are applied literally everywhere where there is human communication. Below we list the most popular types of attacks.
Baiting
This type of attack is designed to "pick up" the user for greed or curiosity. The user cannot refuse his inner feeling to find out something supposedly secret and falls for the bait.
The most popular form of baiting is the transmission of malware via physical media. An attacker leaves a "bait" (usually a flash drive with a virus) in a crowded place - the lobby of a large company, public transport, an elevator, in a parking lot. To attract attention, the media can be branded in the style of a large well-known company. The victim, of course, is interested in seeing what is on the carrier, so the virus enters the computer and captures confidential data.
There is also online baiting, this is a random pop-up ad with clickbait headings, to which suspicious users react vividly, click, follow the link, infecting their computer.
Fake Threats
As the name implies, the user is literally bombarded with messages like “your computer is infected, data will be deleted.” Along with this, a malicious program or a link to a payload is sent, which supposedly will save the data from formatting. The user is eventually led to a ghostly chance of saving his system and, of course, infecting the computer.
A typical example of this attack is pop-up flashing windows informing about a threat, offers to buy a reliable protection system, or installing an application from a link. Usually, inexperienced users who are far from the concept of information security react to this, however, even experienced people can click on a pop-up window by accident.
Pretexting
In this case, the fraudster obtains information through a series of well-thought-out deceptive moves. First, contact is established with the victim, perhaps friendly communication is established, the attacker is rubbed into trust. All correspondence is conducted from an official, for example, a policeman, colleague, bank employee, tax officer - in a word, a person who theoretically could have a “right to know”. This person asks the victim to go through identification to notify or, conversely, to collect important information.
Thus, the user can give out important information such as card or bank account number, social security number, an account password, address and phone number, phone conversation records, etc.
Phishing
Phishing is one of the most popular types of attacks, gaining more and more momentum in fraudulent campaigns. How does phishing work? By sending spam messages via e-mail or SMS. Such messages are designed to interest the user or create a sense of urgency.
An example would be an email sent to users of an online service that alerts them to a policy violation that requires immediate action on their part, such as a mandatory password change. It includes a link to a fake website that looks almost identical to the real one, prompting the unsuspecting user to enter their current credentials and a new password. After the form is submitted, the information is sent to the attacker.
Phishing emails are easy enough to recognize with just a little attention and vigilance, but again, they can be clicked on by accident while rushing between tabs. Therefore, we advise you to check your mail as thoughtfully as possible, do not open dubious letters, check postal addresses, and especially do not enter personal data on unverified platforms.
Spear phishing
This is a more targeted version of a phishing scam where the attacker targets specific individuals or businesses. They create messages based on the characteristics, positions, and contacts of their victims to make their attacks less visible. Spear phishing requires much more effort on the part of the perpetrator and can take weeks or months to complete. They are much harder to spot and have higher success rates if done well.
For example, forging documents for a spear-phishing victim is done very painstakingly, usually with the involvement of other high-class specialists. E-mails and real letters with such documents are sent, for example, to the management of the company or experienced professionals who have already dealt with scams of this kind.
How can you prevent social engineering from affecting your data?
Social engineering manipulation is aimed at the feelings and inattention of users, so here is a list of basic actions that should not be neglected if you want to keep your data private.
Do not click on suspicious links or open attachments with incomprehensible content. If you don't know or can't verify the sender's address or contact directly to find out if the message was actually sent, it's best not to open it at all.
Don't buy "good" deals. Installing security software, checking your computer for viruses from a dubious source, is most likely fraught with data leakage. The easiest thing to do is to at least google the company, field of activity, license, customer reviews, but it’s better, of course, not to be fooled by pop-up headlines at all.
Of course, two-factor authentication. Using multi-factor authentication helps ensure that your account is protected in the event of a system compromise. Password + SMS code, password + graphic key, password + face or document scan - all these variations significantly increase the protection of information.
Installing a DLP system in a company. Protecting personal data is difficult, protecting corporate data is even more difficult, and a leak risks costing an organization a lot of money. A good way to protect data from leaks is to use SecureTower, a DLP system from Falcongaze. This is a reliable software solution that ensures the protection of company data by controlling all channels of user communication (analyzing all sent and received information) and controlling employee behavior (controlling all employee actions on the computer). After analyzing the intercepted data and behavior, if there is a violation of security rules, the system automatically notifies about the incident and blocks sending files, copying, visiting a web resource, launching an application. SecureTower notifies the information security service and company management about the incident, with all the information about it, which makes it possible to quickly investigate.
When investigating incidents, cases are formed in SecureTower in which you can record the progress of investigations, determine the defendants in the case, and after the completion of the investigation, make a report for managers. The collected data can be used in court as an evidence base.
Update your antivirus software. Make sure automatic updates are enabled or make it a habit to manually check for and download the latest updates.
We hope you found this article as useful and informative as possible. Remember that more than 90% of leaks happen due to the human error factor, so regularly check your information security and risk literacy, take phishing tests and information security incident response training, especially if you are a corporate employee.