Skip to main content
Fishing

Social Engineering – Scamming on the edge

Social engineering is the fastest growing concern in cybersecurity. The human factor, or rather the human error involved in cyber security intrusions, is entirely disproportionate to cyber security services currently available.

Whilst teams work on hundreds of technical solutions to upgrade cyber security such as: buying up applications, encryptions, antiviruses and firewalls, the real problem was staring us in the face from day one – our employees.

This is where social engineering and pretexting both enter the picture.

Social engineering

Social engineering is the ability to trick or coax people into giving over confidential information. The information that criminals are looking for obviously varies from passwords, to names of employees, to your social security number, or bank details. They are looking to gain access to and take control over your digital data by using computers.

Hackers started use social engineering tactics in lieu of malware and viruses because it is inherently easier to exploit people than it is to hack into a network. It really doesn’t matter how many safeguards the IT department put up, if the user trusts the hacker, the gateway to the network data is open. 

Pretexting 

Is simply presenting oneself as someone else to obtain private data. It’s one of the basic tenets of social engineering. This could be a simple email or could be an entire identity. Pretexting may be an impersonation of someone in an important company role, and a hacker using social engineering techniques is likely to develop a range of different pretexts. Most of these pretexts would be based on information gathered from social media and marketing materials.

Pretexters attempt to build trust through either providing information about themselves or others that is hard to dispute, to disarm their victims and gain privileges to private systems.

Emails from known friends

A lot of people have received strange emails from their friends, with links or downloads, which hopefully they didn’t open, as they were most likely to contain malware.

These emails actually come from the friends addresses, which have been hacked and stripped of their data by cyber criminals. They then send out malicious emails to the contact lists - and the same exact scenario is mirrored in social media.

Investigating social media accounts gives attackers a more believable persona and helps them create more convincing messages. Apart from snooping to find out your details, they can create fake social media profiles and collect information in order to pretext you and others.

 

Emails from trusted sources

Most phishing attacks are an attempt to impersonate a reasonable scenario for handing, such as bank details. According to Verizon's annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting are accountable for 93% of successful data breaches.

Spear-Phishing

Spear-phishing messages are email messages that target a specific person. These targeted victims are often exploited by blending information gleaned from social media accounts and then sent to an email address. With the wealth of information that can be gained from Facebook, Twitter and LinkedIn, attackers are given a real advantage in developing pretexts for attacks.

Whether they are saying you won the lottery or posing as a boss, it’s likely that pretext techniques were involved at one stage.

Baiting

These types of honeypot schemes are usually discovered on Peer-peer sites (torrent sites) but have recently been moving across to social media and other platforms. 

The deals or offers are usually too good to be true and highly current offers, and those who take the bait are likely to be infected with malware.

Bottom Line

Social media is a good place for cyber criminals to cast a wide net whether it be through scanning for information or through creating a completely fake identity to catch victims. It is undeniably the major starting point for most social engineering scams. Should corporations crack down on the information employees post on social media? Should the use of social media be against company policy in general? What other solutions are there? Engage with us and offer your opinion!