4 Types of Social Engineering Used Every Day
Article by Calyptix Security. August 28th, 2017
Persuasion is part of life. We all try to persuade friends and loved ones to act in a certain way, usually with the best of intentions. Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests. Technically, acts that influence people to behave within their own interests is also social engineering. However, the term is used almost exclusively within the context of fraud, scams, and cyber crime. Con artists are master social engineers. So are modern hackers who rely on spam and phishing — and they have a few new tricks up their sleeves.
Social Engineering Tactics
Below we describe some of the most common social engineering tactics used today in cyber crime. In the real world, cyber attacks do not fit into neat categories. Instead, each is unique, often combining multiple channels and tactics. While categorization is helpful to understand the nature of the beast, remember that many of these tactics will overlap in the wild.
Impersonation is one of the most common types of social engineering. Obviously, it’s when an attacker presents himself or his communication as originating from another party. Attackers routinely impersonate authority figures – such as police officers or CEOs – knowing many people are quick to follow orders from authority, as has been proven in psychological experiments. Many other roles are impersonated: lottery officials, wireless service reps, government officials, coworkers, family members – the list is nearly infinite.
Remote tech support scams
Phone scams are nearly as old as telephones. In a typical scam, the attacker calls the victim, poses as someone else, and uses a false pretense to con the victim into sending payment. In recent years, the tactics have been used for cyber crime. Tech support scams are a common example. The attacker calls posing as an employee from Apple, Dell, or Microsoft and claims the victim has a malware infection or other tech problem. Rather than conning the victim into sending payment, the attacker walks them through the steps to allow a connection to their computer through a remote desktop app. You can hear examples of these calls in this article from Wired. Once attackers are in, they do as they please, typically installing ransomware. Some attackers take a multi-pronged approach. Posing as the IRS, one group called victims and demanded either payment or computer access immediately.
Emergency email from the boss
Business email compromise (BEC) scams – which have accelerated in recent years – are an example of impersonation used to devastating effect. In a typical BEC scam, the attacker has intimate knowledge of the target business, including who is authorized to send wire transfers and how the transfers are initiated. The attacker targets this person, sending them an email purporting to be from their boss (either by compromising or spoofing the boss’ email). The email requests a large wire transfer to the attacker’s account. The email is crafted to mimic prior wire requests. It may also inject a sense of urgency, which is a common marketing technique, by adding “I need this handled ASAP.”
If you operate a business and are interested in utilizing AVAREN for technology support or technical outfitting, please call us during business hours at 214-379-4200.