Social Engineering Techniques

Technology can only help in a limited way against human hacking, being aware and being vigilant is your best defence against the methods described below…

Phishing

Phishing is a way of attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an email. It typically involves spoofing emails and/or directing users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Spear phishing

Spear phishing builds upon phishing but is targeted against an individual, organisation or business. Emails will often contain specific details or appear to originate from individuals or organisations that the target recognizes to enhance their authenticity. Spear phishing attempts are not typically acts by random hackers, but conducted for financial gain or espionage.

Whaling

The victim is sent a fake email containing an attachment or an embedded link which they are persuaded to open. This in turn deploys malware or directs the victim to a bogus website. The more plausible the email, the more likely the victim will open the attachments or links.

Baiting

The victim is telephoned by an individual posing as a figure of authority to persuade the victim to perform a task. Common scams involve criminals masquerading as an employee of the victim’s Internet service provider or Microsoft to warn the victim of a fictitious problem on their computer. The victim can be persuaded to: carry out alterations to their computer to weaken its defences; navigate to a website that allows remote access; navigate to a website to download malware (on the pretext of fixing a supposed problem or downloading protection from viruses); or hand over personal or credit card details.

Social networking

Social networking provides a number of opportunities for social engineering. Some social media users have been targeted with messages pretending to be from a friend who is stranded abroad needing emergency funds, while others have been contacted by convincing spoof accounts which tell a tale of hardship. These both divert to criminal web pages requesting personal information. Criminals exploit other social media to discover a victim’s interests. This knowledge is then used to target messages or tweets containing embedded links to malware. Also, target emails or tweets offering a way to get more followers often divert victims to websites that download malware.