Social Engineering

Attack Techniques & Prevention

Social engineering attacks include phishing, CEO fraud,

ransomware, spear phishing, and more. Learn about

different attack methods and how you can manage this

ongoing problem.

Hacker Combat LLC

broad range of malicious activities

accomplished through human interactions. It

uses psychological manipulation to trick

users into making security mistakes or giving

away sensitive information.

What makes social engineering especially

dangerous is that it relies on human error ,

operating systems. Mistakes made by

legitimate users are much less predictable,

making them harder to identify and thwart

than a malware-based intrusion.

Hacker Combat LLC

of the major threats that organizations face today. Using

social engineering tactics, hackers manage to break into

networks of large companies and organizations and get

away with loads of confidential data- sensitive personal

data and corporate data as well.

To be remembered is the fact that cybercriminals who carry

out social engineering attacks exploit either the

weaknesses of users or their natural helpfulness. These

hackers would come up with messages that make appeals

for help but actually designed to infect the user’s

system/device with malware and steal data.

Social engineering thrives by exploiting fear, greed,

helpfulness, curiosity etc, which could lead users to open

emails, click on links, download attachments etc. This could

eventually lead to malware infection, stealing of data etc.

Hacker Combat LLC

Phishing:
Phishing, as we know, is one of the most popular kinds of

cyberattacks. A hacker would communicate with a user,

pretending to be or disguised as a legitimate, trusted

person and tricking the user into opening malicious emails,

clicking on malicious links etc. The most popular mode

adopted is email. Email phishing scams involve the sending

of emails that would seem to come from legitimate sources-

banks, insurance firms, clients, government agencies etc.

Once the user opens such an email, he would be tricked

into clicking on a link or downloading an attachment. He

would be told that it’s important to do so, in order to pay a

fine, make a renewal, re-confirm his address etc. The user

may even be asked to fill a form with personal details. The

unsuspecting user would follow the instructions, and this

would ultimately lead to a data breach or malware

installation in his system/device.

Phishing attacks are also carried out via phone calls, instant

messengers, the social media etc. The call or message

would urge the user to make a donation for a charity or to

help someone affected by a natural disaster, but the real

intentions would definitely be malicious.

which a hacker uses personal information pertaining to a

user to gain trust and make things look legitimate. Thus, a

hacker, using information that he has gathered from the

victim’s social media accounts or other online activities,

would send an email that the victim would take for a

legitimate one. Thus, those behind spear phishing attacks

manage to get more successful compared to other general

phishing attacks.

Baiting:

The name says it all! Hackers could leave, as some kind of a

bait, a CD or a USB flash drive, in a place where someone

would easily find it. Curiosity would lead the person who

finds it to try opening it and consequently, unknown to that

person, malware would be installed in the system.

Pretexting:
A hacker would fabricate some false circumstances, pretend

to be in need of some information and thus make a user

provide access to critical, protected systems or divulge

sensitive data.

An example of such an attack is a hacker pretending to be

someone from a company’s IT department and asking the

victim (some employee of the company) to grant computer

access or give out login credentials.

An unauthorized person following an authorized user into

an otherwise secure area – that’s what tailgating (or

piggybacking) is.

Thus, a person impersonating as a delivery guy can get

some employee who is making his entry to hold the door for

him. Then, after entering the premises, he could go to the

data room or gain access to some system and thus gain

access to the network.

Tailgating can also be mixed with baiting; a person who

tailgates can leave a USB drive or CD that could ultimately

be used for a social engineering attack.

Quid pro quo:

Quid pro quo attacks involve hackers asking for sensitive

information in exchange for a benefit. It could be a gift,

the promise of some services etc.

For example, a hacker can get some login credentials in

exchange for a gift and then use the data to gain access

to a whole network itself.

that organizations adopt measures to counter them. Some

basic things that can be done to prevent social engineering

attacks include:

Educating employees as regards the common types of

social engineering attacks, prevention strategies etc.

Training employees as regards adopting prevention

strategies.

Ensuring that emails from untrusted sources are not

opened.

If emails that seem to be coming from known sources

contain any content that raises suspicion (like asking

for personal data), it’s always best to contact the

sender directly and ascertain things.

Ensuring that no user gives in to temptations or

divulges details after yielding to curiosity, greed etc.

Ensuring that computers and laptops are locked when

someone moves away.

Using antivirus/antimalware software, data monitoring

tools, email filters etc and ensuring proper firewall

protection.

Having a clear idea about the company’s privacy

policy as it would help prevent things like tailgating,

baiting etc.