April 21, 2021
2370
0Frequently Used Social Engineering Tactics
Social engineering, sometimes referred to as the science and art of hacking human consciousness, is becoming increasingly popular due to the increasing role of social media, email, or other online communication forms in our lives.
We recently analyzed the topic of social engineering. If you missed the basic information, you can find it here.
The term social engineering in information security is widely used to refer to cybercriminals’ techniques. In recent years, cybercriminals who use social engineering techniques have adopted more advanced methods that make them more likely to access the necessary information, using the modern psychology of company employees and people in general.
Prevent any cyberattack! Follow the tips listed here.
After our latest publication, you gave us feedback in the form of a frequent question: What is an example of social engineering?
So, today, we’ve decided to tell you about eight main social engineering tactics that hackers frequently use.
Social engineering threats
In the 90s, the concept of “social engineering” was introduced by Kevin Mitnick, an iconic figure in the field of information security, and a former hacker of a serious level.
You can find out more about Kevin and other famous hackers in this article.
However, attackers used such methods long before the term itself appeared. Experts are convinced that the tactics of modern cybercriminals are tied to the pursuit of two goals:
- stealing passwords
- installing malware.
Types of malware are listed here.
Most cybercriminals will not spend time implementing technologically sophisticated hacking techniques if the necessary information can be obtained using social engineering skills. Attackers try to apply social engineering using the phone, email, and network.
– What are the types of social engineering?
A special site has been created to explain the basic principles and types of this attack. It is called SocialEngineer.org. It offers a very useful framework for the theoretical study of social engineering principles, supplemented by many real-world examples.
But right now, let’s get acquainted with the main methods that help criminals to obtain the confidential information they need.
Learn the essential security measures that you should follow on the internet to prevent social engineering.
Social engineering tactics
As we have already mentioned, the principles used for fraudulent schemes on the internet are similar to those used in real life. Still, since the internet is a huge information distribution machine, a single phishing message can be sent to millions of recipients in the shortest possible time. That is, in such conditions, this type of attack can turn into a win-win lottery: even if only a small part of the total number of potential victims falls for the bait, it still means a huge profit for the organization or the person behind the attack.
- Tactic 1. The ten handshake theory
The main goal of an attacker who uses the phone for social engineering is to convince their victim of one of two things:
- The victim is being called by an employee of the company;
- A representative of an authorized body (for example, a law enforcement officer or an auditor) is calling.
Suppose the criminal sets themselves the task of collecting data about a certain employee. In that case, they can first contact that employee’s colleagues, trying in every possible way to extract the data they need.
Security experts say that there can be only ten “handshakes” between a cybercriminal and their victim. Experts believe that it is always necessary to have a little paranoia these days, since it is not known what any particular employee wants from you.
Attackers usually go to the secretary (or a person holding a similar position) to collect information about people higher in the hierarchy. Experts note that a friendly tone helps scammers in many ways. Slowly but surely, the criminals are picking up the key to you, which soon leads to you sharing information that you would never have divulged before.
- Tactic 2. Learning the corporate language
As you know, each industry has its own specific terminology. An attacker trying to get the necessary information must study the features of such language to use the techniques of social engineering more skillfully.
All the specifics lie in the study of the corporate language, its terms, and its features. If the cybercriminal speaks a familiar and understandable language for their purposes, they will more easily gain trust and will be able to get the information they need quickly.
- Tactic 3. Borrowing music to wait during calls
To carry out a successful attack, scammers need three components:
- time
- perseverance
- patience
Cyberattacks using social engineering are often carried out slowly and methodically—not only data about the right people are collected, but also so-called “social signals”. This is done to gain trust and circumvent the goal around your finger. For example, attackers can convince the person with whom they communicate that they are colleagues.
One of the features is the recording of music that the company uses during calls whilst the caller is waiting for a response. The criminal first waits for such music then records it and then uses it to their advantage.
So, when there is a direct dialogue with the victim, the attackers at some point say: “Wait a minute, there’s a call on the other line.” Then the victim hears the familiar music and does not doubt that the caller represents a certain company. This is just a clever psychological trick.
- Tactic 4. Phone number spoofing
Criminals often use phone number spoofing to help them spoof the caller’s number. For example, an attacker can sit in their apartment and call a person of interest, but the caller ID will display the number belonging to a company, which will create the illusion that the fraudster is calling using a corporate number.
Of course, unsuspecting employees will in most cases hand over confidential information, including passwords, to the caller if the caller ID belongs to their company. This approach also helps criminals avoid being tracked, as if you call back to this number, you will be redirected to the company’s internal line.
- Tactic 5. Using the news against you
Whatever the current news headlines are, attackers use this information as bait for spam, phishing, and other fraudulent activities. It is not for nothing that experts have recently noted an increase in the number of spam emails relate to presidential campaigns and economic crises.
Examples include a phishing attack on a bank. The email goes something like this:
{Another bank [bank name] is acquiring your bank [bank name]. Click on this link to make sure that your bank information is up to date before the transaction closes.}
If you want to know more about phishing attacks, you can read the specific article on the topic here.
Naturally, this is an attempt to get information that fraudsters can use to log into your account, steal your money, or sell your information to a third party.
- Tactic 6. Using trust in social media
It’s no secret that Facebook, Myspace, and LinkedIn are extremely popular social networks. According to a study by experts, people tend to trust such platforms. A recent incident of phishing targeting LinkedIn users supports this theory.
So many users will trust an email if it claims to come from Facebook. A common technique is to claim that the social network is carrying out maintenance and you need to “click here” to update information.
That is why experts recommend that employees of enterprises enter web addresses manually to avoid phishing links. It is also worth keeping in mind that sites very rarely send users a request to change their password or update their account.
- Tactic 7. Type squatting
This malicious technique is notable for the fact that attackers use the human factor, namely errors when entering a URL in the address bar. Thus, having made a mistake by just one letter, the user can get to a site created specifically for this purpose by hackers.
Cybercriminals carefully prepare the ground for type squatting; therefore, their site will be as similar as two drops of water to the legitimate one that you originally wanted to visit. Thus, if you make a mistake in writing the web address, you get to a copy of a legitimate site, the purpose of which is either to sell something, or to steal data, or to distribute malware.
- Tactic 8. Using FUD to influence the securities market
FUD is a psychological manipulation tactic used in marketing and propaganda in general, which consists of presenting information about something (in particular, a product or organization) in such a way as to sow uncertainty and doubt in the audience about its qualities and thus cause fear of it.
According to the latest Avert research, the security and vulnerability of products and even entire companies can affect the stock market. For example, the researchers studied the impact of Microsoft Patch Tuesdays on the company’s stock, finding a noticeable fluctuation each month after information about vulnerabilities is published.
You can also recall how attackers in 2008 spread false information about Steve Jobs’s health, which led to a sharp drop in Apple shares. This is the most typical example of using FUD for malicious purposes.
In addition, it is worth noting the use of e-mail for the implementation of the “pump-and-dump” technique (a scheme for manipulating the exchange rate on the stock market or on the cryptocurrency market with a subsequent collapse). In this case, the attackers can send out emails describing the amazing potential of the shares that they bought in advance. So, many will try to buy these shares as soon as possible, and they will increase in price.
Only use a private and reliable email tool.
Conclusion
Cybercriminals are often extremely creative in their use of social engineering. Having familiarized themselves with their methods, we can conclude that various psychological tricks help attackers achieve their goals.
Based on this, you should pay attention to any little thing that can unwittingly give out information to a fraudster, and check and recheck information about people contacting you, especially if confidential information is being discussed.
