In cybersecurity social engineering is the manipulation of someone by a hacker, to convince the individual to provide personal information. This information can be used later and added to the hackers’ portfolio of data that they have collected on their target. Or the info can be used on the fly by the bad actor, e.g., clearing out your savings account.
Psychological manipulation to gain sensitive data is nothing new, it is a common phenomenon and shockingly, a high percentage of us fall victim to it regularly.
Brian Brushwood, a host, author, and touring entertainer told us about a very interesting research done amongst some people that came to use a copier machine. There was a line for copying papers. Someone came last in the line and told everyone that she has only 5 pages to copy and needs to do them fast as she was in a hurry. Surprisingly 94% of the people agreed to let her copy next; since it was the humane thing to do; Not only that, she asked nicely and used the word “because”. Her request elicited sympathy and caused people to sacrifice a little for her. And even someone who was going to copy only 6 pages, let her copy first (Google search ‘Brian Brushwood social engineering’).
What was the point of the story? It is that, if you can convincingly tell your story, most of the time, it will go over very well. This is the same thing that happens in social engineering. It is the matter of words used, the personality of a targeted person, and how the conversation is presented. Cyber social engineering or extracting confidential information can be done in four ways. They are: blagging, also known as pretexting; phishing; pharming & shouldering (or shoulder surfing). Let’s see what each of these terms means and how events revolve around these methods.
Blagging plays a big role in social engineering. A fake scenario is created so the victim can engage with the hacker or scammer for a certain period. The goal is to extract as much personal information as possible from the victim to get access to their credentials or maybe financial account.
For example, a scammer calls using a fake identity from the banking service you use. They ask for your birthdate, social security number, pins associated with the services, security questions, and even the credentials of the person that can act as a handler of your finances in your absence. Most people will not give a second thought to providing this information because they believe they are speaking to someone who represents their bank. What the scammer does during or after the call is, change the passwords or pins which blocks the original owner of the account from accessing it. The con artist then transfers funds to another account. Once the transfer is done, it is too late to get back the funds (unless your bank decides to be generous).
Phishing & Pharming
Are used to gather information then launch an attack.
Phishing pronounced just like the word ‘fishing’, and if you rotate “f” 180o, it looks like a hook that is used to catch fishes. People who line fish use the right bait and are patient, the same strategy is used in phishing for humans by scammers. The purpose of a phishing attack is to lure you out via email or SMS text (smishing), entice you to click on a link. This method is so common that you may even have a few of these emails in your spam folder sitting right now.
Spear Phishing is used to target a single user. The situation maybe that a hacker wants to access someone’s LinkedIn or Facebook profile. The sham artist sends out specific instructive email to a particular person baiting them with appealing links, if the potential victim takes the bait, they could soon find themselves locked out of their social media accounts.
Pharming is carried out on a larger scale to phishing. The objective here is to direct all users of a particular website to a fake web address, so that they input confidential information into the web page, such as log in details. The information that was entered by the user is now in the possession of hackers.
Pharming is carried out by using an advanced hacking technique called Domain Name Server (DNS) poisoning, which I definitely will not be delving into here in this article.
Basically, DNS is the procedure that is in place on the world wide web that converts an unfriendly Internet Protocol (IP) address to the friendly Uniform Resource Locator (URL) or web address that we all know and love. When the DNS that changes IP to URL is not working properly (poisoned), we are directed to the wrong web address which has been set up by the hacker to mislead us into thinking it is the genuine website.
- The hacker crafts emails that can evade spam filters,
- They create emails with mass appeal, and that are usually promising something for nothing or get rich quick scheme.
- They then send out the same email to a huge number of people. The goal is to reach as many eyes as possible.
- Attack the individuals that click on the email links
- For pharming they will build a fake website: The dummy site may look like that of a legitimate company, one that most people are familiar with. The site will be designed to capture as much information as possible.
Shouldering or shoulder surfing is a form of data theft that is done by peeking at a user’s screen or keypad over the shoulder or from a distance. It is an easy way to get hacked or lose important information. Typical shoulder surfing can happen when the victim is putting in pins on ATM, passwords on a computer or phone, or providing someone with very personal information or company data. A potential third party can also monitor from a distance via binoculars or gather data from a CCTV.
Someone who can get access to your PIN from a distance can also obtain further information like your birthdate or address from another source. These kinds of leaked data are always available for sale on the dark web. We have less privacy nowadays; the credit goes to digitalisation.
It is so easy to unintentionally become a victim it can happen in airports and other public transportations like a bus; hallway-facing monitors; screen reflections, so be careful when conducting private business in a public place.