Social engineering: the most common methods and ways to protect from them

Usually a hacker attack is aimed at a victim’s device. But when a hacker uses social engineering methods, then their aim is users themselves (wealthy people, people having sensitive information, companies’ employees).

Fraudulent actors rely on human factor and mislead their victims. Using social engineering methods, they influence victim’s emotions in order to, for instance, steal customer base or personal data, and then sell this information or use it in further attacks. The process of getting information can last for a month or more.

To avoid such situations, you must know how to identify social engineering methods. The Analytical department of Falcongaze described the most common methods and provided you with recommendations how to protect from them.

Social engineering methods:

  • Phishing attacks. Using the phishing attack, fraudulent actor tries to provoke emotions so that a victim without any doubt give them credentials and other information. Hackers send messages with the “Urgently” or “You are hacked” or “You’ve got $300,000 on your account” title. And you open the message, follow all links, and a fraudulent actor gets what they want. Phishing can be aimed at many people at the same time expecting that somebody will get caught. Or it can be purposeful when a hacker pretends to be your friend or an authority figure (ex. company’s spokesperson) and tries to get the information they need. Phishing messages often contain short links on malicious web-sites. The messages are written with grammar or spelling mistakes.
  • Pretexting. It is the case when malicious actors are gaining trust. They create a pretext or a scenario to find out your data or make you do something. They can ask a victim for identification. To identify, you may need to answer several questions. For instance, tell your mother’s maiden name, place of birth, birth data, password, credit card number, CCV. These data they use for their own purposes later.
  • Baiting. It is aimed at victim’s curiosity or greed. Using the baiting method, a hacker offers a victim something good (ex. to download useful files for free) in exchange for registration on a web-site. However, it also can be a physical bait when they put a USB flash drive or other device in plain sight so that one of the employees grab it on their way to the workplace. These objects often have the “Confidential” or “Salary info” note. Curious employees connect the unknown device to their computer without any doubt. Then sometimes the malicious code can be executed.
  • Quid Pro Quo – a fraudulent actor asks for personal information in exchange for a favor. For example, they call a victim pretending to be a company’s employee and offer free help in exchange for credentials.
  • Tailgating, or piggybacking. It is that kind of an attack when a malicious actor gets into the office pretending to be the employee of delivery service, or one of the victim’s employees let them get in without any second thoughts. It rarely happens in companies that require ID card at the entry. Nevertheless, it can be stolen or fabricated. You can remember the story of the famous hacker Kevin Mitnick who fabricated travel cards and ID cards. Everything that he had to do was to place card elements (photo, name, second name etc.) in correct order. He took advantage of human factor – the card is rarely checked closely, often it is enough to see that all details are put as a company commanded. And you are allowed to get into the building.

What should you do in order not to become a victim?

  • Pay attention to the source. Who sent the message? Can they identify themselves? Check the domain name of the e-mail address. If there are mistakes, then probably it was sent by a malicious actor. What concerns the baiting method, then think carefully before connecting unknown device to your computer. The malware can be downloaded.
  • Pay attention to your emotions. Ask yourself “Aren’t my emotions exaggerated?” or “Do I have a feeling that I have already made a fortune?” Hackers always affect victim’s emotions to make them act without thinking. You have to presume that maybe someone is affecting your emotions and is trying to get sensitive information.
  • Set up security software. There are a lot of antiviruses or firewalls that prevent malware executing. They can be used to scan external storage devices. E-mail services have special configurations to filter spam and phishing messages. Set up necessary settings and software to secure your data.
  • Take measures when connecting to unknown networks. At home or at workplace provide with an access to a guest Wi-Fi connection. It secures the connection. Use VPN – they provide you with encrypted “tunnel” when connecting to the Internet.
  • Secure your device. Block your device when you need to go out, especially at work. Don’t leave it alone when you are in a public place (café, airport). Set up a strong password. There are services that can disconnect your computer when launching options are changed. Think of using smart-card or token. Then the device cannot be launched without a key.

You must be on guard in order not to be caught by a hacker using social engineering methods. Every time you get a message from unknown person asking for credentials, stop and think why they need it. If you care for your data, set up special software to secure the OS and your device. Also set up special software to verify all internet traffic.

The SecureTower DLP system

  • Data leak protection
  • Staff efficiency and loyalty monitoring
  • Identification of potentially dangerous employees (risk analysis)
  • Busines communications archive maintaining

Important publications

What is UBA? 6 August 2019
What is DLP systems? 13 February 2019