Phishing is when an attacker tricks victims into revealing sensitive information, such as login credentials or finances, by sending fraudulent emails, claiming to be from a reputable and trusted source, such as a bank or online retailer. A common example is the ‘Nigerian prince’ email, one of the longest-running Internet frauds.
Background
History of Social Engineering
The term ‘Social Engineering’ was first coined in the 1930s by
Austrian-American psychologist Theodore Adorno, who used it to
describe the process of manipulating people into adopting certain
behaviors or belief systems.
However, the concept of Social Engineering has been around long before
Adorno coined the term. Throughout history, there have been many
examples of people using manipulation and deception to achieve their
goals, like the infamous Trojan Horse.
But the earliest example of this kind of manipulation may have existed
since the beginning of the human race, or, at least, in the earliest
account of its beginning – the Bible. In the book of Genesis, Chapter
3, Adam and Eve are tempted by the serpent to eat from the forbidden
tree of knowledge. The serpent uses deception and persuasion to
convince Eve to eat the fruit, which leads to her and Adam being
expelled from Eden.
During World War II, the Nazi party used Social Engineering to trick
people into supporting their regime by using propaganda to control the
media and spread their message to the masses, intimidation and
violence.
In more recent years, social engineering has been used by criminals to
gain access to people’s personal information and has become even more
advanced over time.
“Very fundamentally, Social Engineering is people conning or manipulating each other and I think that’s been going on since the beginning of time so it is incredibly common. Within the landscape of information technology, I think now it’s even more common because a lot of social engineers are using their skills to learn information about companies to facilitate a more layered attack.”
$130,000
Is the amount Social Engineering attacks cost companies on average through money theft or data destruction.
$10.5 trillion
Is the amount it will likely cost annually by 2025 as a result of cybercrime around the world.
Variations
Types of social engineering attacks
There are many different types of Social Engineering attacks, but they all share one common goal: to exploit human weaknesses in order to gain access to sensitive information or systems.
Social engineering attacks can be divided into two broad categories:
Information gathering
In this type of attack, the attacker attempts to gather information about the target by tricking them into revealing it, which can be used for hacking or identity theft.
Action-based
In this type of attack, the attacker tricks the target into taking some action that will benefit the attacker, such as clicking on a malicious link or opening an attachment. Such attacks are often successful because they exploit natural human tendencies, such as trust, curiosity, and the desire to help others.
Overview
Most common types of Social Engineering attacks
Social Engineering is the act of manipulating people in order to obtain information or perform certain actions. It is a type of deception that uses human psychology to trick individuals into revealing confidential information or carrying out desired tasks. However, experts argue that Social Engineering, as a concept, does not necessarily have to have a negative impact.
700
The number of Social Engineering attacks that target the average organization each year.
Source: Barracuda
Vishing, short for voice phishing, targets victims over the telephone. An example is getting calls from people claiming to be from the IRS. Similarly, Smishing, short for SMS phishing, is done through texts.
Baiting involves something enticing, such as gift cards or free songs, to lure the victim.
Typically the attacker impersonates someone in a powerful position such as the police or someone higher up in the company the victim works for.
Tailgating, also known as “piggybacking,” is when the attacker gains access to a secured area by following someone who has legitimate access.
Quid pro quo is a tactic in which the attacker offers a trade of service for information.
Additional statistics
-
78% of phishing attacks occur on weekdays
-
Mondays and Tuesdays are the top days for phishing
-
Monday and Thursday are the top days for Facebook phishing
-
Thursday and Friday are the top days for Microsoft phishing
-
Chase, PayPal, and Wells Fargo join the list of the most impersonated financial services brands
-
Facebook is the number one most impersonated brand in phishing attacks followed by Microsoft
-
Facebook also ranked #1 on the Phishers’ Favorites list. Other social media brands on the list include WhatsApp (#4) and LinkedIn (#17)
Prevention & protection
How to avoid becoming a victim of Social Engineering
Don’t click shady links
These links will most likely lead to fraudulent websites and force install malware on your device. Cybersecurity expert Denis says that if something doesn’t sound right we should probably ask more questions. “It’s ok to challenge someone to present and verify they are who they say they are.”
Never give out personal information online
All banks, authorities, and other entities clearly state that they will never ask for personal information over call, SMS, or email. If someone does, do not indulge them.
Secure all your devices using a VPN
With a VPN connection on your device, you can keep your data encrypted and your device secure.
Train employees
One of the best ways to prevent Social Engineering attacks at organizations is to educate employees about the threat. Employees should be trained to recognize the signs of attacks, such as unexpected requests for personal information or unusual requests.
Introduce anti-cyber crime policies at work
Organizations should also have policies and procedures in place to protect against Social Engineering attacks. Access to sensitive data should be tightly controlled, and all attempts to access restricted data should be logged and monitored.
According to Denis,
“It’s important to have email filtering and really have those systems
set up and figure it in a way that blocks the majority if not all.
Suspect fishy emails and things that could look malicious. It’s an
incredible power to have those tools in place.”
Timeline of major Social Engineering cyber attacks
Some of the most well-known social engineering attacks include:
2013
2016
2016
2017
2019
2020
2021
2022
The Cryptolocker scam
A ransomware attack that hit computers in 2013. Around 500,000 people fell victim to the scam which cost a total loss of $3 million.
The Jigsaw ransomware
One of the most prolific and destructive pieces of malware in 2016, also known as Satan, wreaked havoc on computer systems around the world.
GoldenEye ransomware
A file encrypting malware related to the Petya ransomware family and uses the same encryption methods as its predecessor.
The “WannaCry” ransomware
This attack used Social Engineering to trick victims into opening malicious email attachments.
The “Capital One” data breach
Caused by a former employee who used Social Engineering to gain access to the company’s customer data.
Pandemic era attacks
The “COVID-19” pandemic has been used by scammers and cybercriminals to exploit fears about the virus and carry out Social Engineering attacks.
Facebook compromised
By April 2021, 553 million Facebook users’ phone numbers and other personal details had been leaked on a low-level hacker forum.
200K fraudulent bank transfer
A district school in Georgia, US, admitted in June that it had wired $197,672.76 to a bank account controlled by cybercriminals.
