Social Engineering

Social Engineering is a tool hackers use to extract information without the use of any coding. One common attack is email Phishing. This is often done by appearing to be an authentic source in order to get sensitive information. By gaining enough personal information, a hacker is then able to take advantage of weak security protocols and potentially cause more damage. This can be done in several steps. For example, information gathering>hook>execution.

The information gathering stage relies on using little information to gain more. They will also scout companies that the target is associated with; to see how strong or weak their security protocol is. By this I am referring to how much information those companies will reveal. For example, usually banks have a much more secure protocol. (You’ll find that banks will not be willing to speak to you if get a security question wrong).

However, a utilities company (phone, broadband, water, etc) is more lenient/forgiving in comparison. By identifying an associated company with a weak security protocol, you’ll be surprised how much information you’re able to gather with such little information to start with. The method above is called Vishing, a combination of voice and phishing. The following image is an example of a email phishing attempt.

Email Phishing

I’m sure we all know someone who thought they received an email from HMRC, PayPal or from some type of finance company; saying they were due a refund. Only for them to enter their details and end up hundreds down. This is a prime example of how hackers/scammers will implement social engineering.

By using emails to acquire confidential information. They do this in the hope the target will follow the instructions. This could be by opening a link to their own page; where they can collect further information. Or asking the target to download their evil file; which can have all sorts of spyware. Here are some ways to recognise a fake email.

How to spot fake emails

• Watch out for links asking you to sign in. This is a perfect way for them to directly get your details (often taking you to their website while they record what you input).

• You will usually be addressed by your real name, rather than a; member, customer, etc. (However, more targeted phishing attacks my already have your name).

• Most companies don’t have domain emails (Check their email address by hovering over the name. Make sure there aren’t any standout alterations, such as numbers and letters: Adam@paypal.com Adam@paypal472.com).

• Watch out for emails with files types such as .exe, scr and zip. As companies will usually direct you to their website to download documents (If in doubt its best to contact the company. While this might take longer, having your details stolen or computer damaged is a much lengthier process to sort out).

• Major spelling/grammatical mistakes are also a sign of unauthentic emails

• The methods above will help reduce the likelihood of being scammed however they do not guarantee it. As advanced hackers also know this and will try to make their emails look as professional as possible.

Scareware

Scareware is created to literally scare victims into downloading malware. Warning messages, such as the one included in this section, pop up. Often with an alarm or automated voice emphasising that something should be done to remove some sort of virus. Or to ‘clean your computer’. They will try to lure you to another website or to download their own software (which often has malware).

The ads are made in a way to make you act quick, so you don’t have time to think about the situation. In order to make you act quickly they will try many things, such as; say you’re infected with all sorts of malware, tell you to act quick or you’ll lose all your documents, make it difficult to close the pop-up, appear to do a scans which say your infected and many more.

Overview

Social engineering can be dangerous as it relies on human error, which is much harder to predict than a piece of malware for example. It is also an important aspect to focus on, as it is a method not many people are aware of. It is important both in personal use and for businesses; a company can invest all they want in antivirus software. It only takes one uninformed member of staff to open the wrong email and serious damage can be caused. Similarly, this can also be very destructive for people on a personal level.