CodeChangers STEM Blog post

Social Engineering

  • Sydney
  • February 02, 2020
  • News

We all think we are smarter than the average con-artist. But are we really? Well, the statistic of “97% of people around the world are unable to identify a sophisticated phishing email [an email that lures people into providing private information]” begs otherwise (Katz, 2018). Welcome to one of humankind’s most simple yet manipulative fields, Social Engineering. This type of field “is any act that influences a person to make a decision that may or may not be in their best interests” (TedxTalks, 2018). Social Engineering is a type of hacking--but not with computers. Who said you need an expert computer program to glean sensitive information and turn a person’s life completely upside down? Instead, Social Engineering is where people bypass the technical side of the computer, and go for the user directly to steal information (Bisson, 2015). To dive deeper into what Social Engineering is, one must learn about the different types of Social Engineering, such as Phishing, Vishing and Baiting and how we can combat these malicious attacks.

Image by Robinraj Premchand from Pixabay

Phishing

You get an email from your bank saying that you need to immediately provide your bank account information or else your account will close! That’s cause for panic right? But wait--Pause for a second. Don’t you think your bank would contact you in a more urgent manner, such as a telephone call, to let you know that your account is closing? Wouldn’t they have given you more of a heads up? If so, you might be getting “phished.” Phishing is probably one of the most famous types of Social Engineering. They are attacks delivered via email (TedxTalks, 2018). According to the article, “5 Social Engineering attacks to watch out for,” written by David Bisson, “most phishing scams demonstrate the following characteristics:

  • “Seek to obtain personal information, such as names, addresses and social security numbers.
  • Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
  • Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly” (2015).

Image by PublicDomainPictures from Pixabay

Vishing

Vishing has the same motivations of phishing. However, this type of attack, instead of coming through an email, comes via the telephone (Tedx Talk, 2018). These people prey on obtaining sensitive information with a more “in-person” approach. With claims of being from a legitimate source (e.g., your bank, tech support) and instilling the sense of urgency with claims of needing personal information on the spot, people can be taken advantage of very quickly (Phishing, pharming, vishing, and smishing, n.d.; Tedx Talk, 2018). Think you can smell a scam right away on your phone? Not so fast, tiger. Check out these examples of professionals demonstrating how Vishing can be as easy as 1, 2, 3:

Image by Miranda Bleijenberg from Pixabay

Baiting

This is where the attacker will promise a reward or prize after you provide your private information. Put in another way, “what distinguishes [baiting] from other types of Social Engineering is the promise of an item or good that hackers use to entice victims” (Bisson, 2015). One example given in the article, “5 Social Engineering Attacks to Watch Out For,” is the promising of receiving the irresistible reward of free downloadable items (e.g., music, movies, games)--but there’s a catch. You just have to provide your private information or credentials (Bisson, 2015). No big deal. Another example of Baiting, is also discussed in the article mentioned above. According to the written piece, an experiment was done by Steve Stasiukoni to see how people handled being subject to this type of attack (2015). Stasiukoni and his team planted different USB drives throughout an organization’s parking lot to see if people would pick them up. Unbeknownst to those who thought they just scored a free USB drive, a trojan horse had been placed on each storage device. For those who did plug in their “brand new” drive into their computer, they had just “activated a keylogger and gave Steve access” to the victim’s credentials (Bisson, 2015). The phrase rings true: “If it’s too good to be true, it probably is!”

What To Do

So, now before you never leave your house again, and bury your computer in your backyard, you should know that there is a way to combat Social Engineering. In fact, there are many ways to counter these types of attacks. Anti-virus software, educating others and locking up your electronic devices can help (Katz, 2018; Bisson, 2015). Another way to combat any scam is to understand that Social Engineering is all about manipulating the brain, and shutting off any logical thinking (Tedx Talk, 2018). Referring to research conducted by Dr. Daniel Goleman, Christopher Hadnagy, a professional Social Engineer, said that when being attacked, a person needs to get back to thinking critically and logically. To do this, a person must utilize the element of time to combat the malicious engineering of the attacker. Hadnagy continued, “So next time you feel emotional about an email, a text message, a phone call or a person you meet, just tell yourself, it’s okay to wait. A short pause can return your brain back to critical thinking…” (Tedx Talk, 2018). So take heart. There are ways that we can combat Social Engineering--take a big breath and try to think before you click on that link. If we do that, we might be able to decrease the amount of people that are fooled by any malicious attacks by social engineers.