Many people get fooled by the attackers these days resulting in giving critical information, installing malicious software or money to the attacker.
In this era of the internet and technology it has made our life too easy to communicate or find any information online. But every good thing has their side effects. One of the side effects in this technological world is Social Engineering Attacks.
What is Social Engineering Attack?
This is an attack done by hackers where they manipulate the people so they can provide their confidential information to them. Many people get fooled by the attackers these days resulting in giving critical information, installing malicious software or money to the attacker.
There are different types of Social Engineering Attacks. Most common attacks used are as follows.
- Phishing
In Phishing, an attacker sends emails or text messages to the victim where the attacker pretends to be a known person to the victim like old friend, office colleague, newly joined boss etc. When they trick the victim to open the malicious link, install any malicious software which can steal the victim’s information from the device or even locks the device requesting money to unlock, or even hack the device.
Once a device is hacked, the attacker then can do any money transfer, purchases or even stealing every personal information of the victim.
Examples of Phishing attack:
- Email Phishing scam
Attackers send multiple emails tricking victims to click on the link and provide personal information. Like an attacker can send the email saying your gmail password is expired to change the password click on the following link and fill the details.
Actual gmail link is “anyemail.gmail.com”, an attacker can send from the generated email which tricks the victim into believing it came from the valid user like follows.
“anyemail.gmaiil.com” or “anyemail.gmaill.com”.
The user ignores such spelling mistakes and thinks it’s from a valid domain and ends up providing personal information or downloading malicious software.
- Spear Phishing
In this type of attack the attacker pretends to be a known person like manager or any client and sends the email requesting the information from the victim. Attackers search the information about the victim from online social networking sites like facebook, twitter or instagram and then send the email pretending to be a known person.
Another example is if the attacker knows the victim or victim’s family member is a student in any school or university they can send emails like today is the last date of paying school/university fees. If not paid on time late charges will be applied, to pay online click on the following link. Once a victim falls under this trick he ends up paying money to the attacker.
- Baiting
In this type of attack, the attacker promises the victim a reward. This can be forwarded to the victim via email, text message or even popup links from any webpage, attracting the victim to click on the link in order to get the prize and resulting in downloading a malicious software or giving personal information to an attacker.
- Scareware
Here the attacker scares the victim that his/her system is affected or hacked by the malware and then tricks the victim to install malicious software. Example attacker shows popup messages on any webpage saying “Your system is corrupted by the malware click here to scan the system”. If Victim clicks on the link which ends up downloading malicious software.
Another example is an attacker can send an email saying your password has been hacked and click on the link to update or secure your email.
- Pretexting
In this type of attack, an attacker pretends to be a known person and asks for personal information over phone or email tricking the victim to believe him and provide sensitive data. They can pretend to be the victim’s client or Manager pretending to forget their password or lose the office system and provide the details so they can login from their personal system to perform any urgent work.
- Vishing
In this type of attack the attacker calls the victim and convinces the victim that they need to act quickly in order to protect them from any risk.
Example they can call you saying they are from your bank and need to do some extra verifications, or credit card passwords have expired and need to take action quickly. In this situation if the victim ends up giving personal or any sensitive information the attacker can take away the money from your account.
We should be always aware about such phone calls or emails and instead of giving any information over call or email physically visit a bank and verify the details.
- Water holing
This is an advanced social engineering attack where an attacker can attack a website and its visitors. Attackers take advantage of the thrusts users have on any website they visit regularly. Example: any chat forums or any social media sites etc. Users from these websites are extra careless thinking that the site is secure and clicks on any malicious links. Such websites are referred to as watering holes because an attacker traps the victim into the trap and waits for them to click on malicious links.
How can we stay protected from Social Engineering Attacks?
- We should be always aware about which sites we are visiting or whom we are giving information to.
- If you get any email from a suspicious sender do not open the email or click on any link from that email. Report that email as Phishing and spam and delete that email.
- If any one requesting any personal info via call or email avoid giving any sensitive information and do visit physically to the office if it’s urgent.
- Always set your spam filters on high. Every email has spam filters that change the settings for these filters as high. Do keep on checking your spam folder if any legitimate emails are accidently moved to the spam folder.
- Always secure your device and don’t download any unauthorized software into it. Do check the reviews of any software, terms and conditions before installing it.
- Always stay alert when visiting any website, which can have malicious links.
