Social engineering – What is social engineering?
What is social engineering? One way of defining social engineering, would be to consider it as any act that influences a person to take an action that may, or may not be, in their best interest.
This lecture is going to explain what social engineering is. I’ll provide you with a basic definition, a little about malicious social engineering and, I’ll introduce phishing, vishing, smishing and impersonation.
When does it occur?
Social engineering occurs when we blend science, psychology and art. Really, it’s all about communication. It’s how we communicate with our colleagues, with our parents, with our spouses, with our children, with our friends and presumably with our enemies.
From that description, it’s important to note that, social engineering isn’t always negative. However, malicious social engineers also use the same effective communication principles to part you and your company from data, information, money and sometimes more.
Top three malicious social engineering methods
Let’s introduce the top three malicious social engineering methods.
- Phishing – Email phishing is a very popular form of attack. It’s responsible for over three-quarters of socially based attacks. What normally happens, is that the email arrives and it either has an attachment containing some form of malware, or within the phishing email, is a link to an illegitimate website. I’ll discuss this more in in a later session. Most phishing email is simply trying to install malware onto the victim’s computer.
- Vishing – This is voice plus fishing and just like ordinary phishing, it’s a similar concept. But now, the social engineer is trying to elicit information or attempting to influence you to an action over the phone.
- Impersonation – This is where somebody presents themselves as somebody else, in order to obtain private information or to gain access to a person, a company or perhaps a computer system. For example, there’s a term called pretexting. Pretexting is when a liar calls you, and asks that you provide sensitive or confidential information so they can confirm that you are really you. Remember, they’ve called you. They might ask you to give them your date of birth, or the town that you were born in, or the school that you went to and all the while, they’re building up a profile on you.
Smishing adopts a similar approach. But this time, it’s via SMS which asks you to provide some personal or banking details, or perhaps to call a premium rate telephone number, so that you can run up some huge bills. Smishing is often more effective than traditional email based phishing campaigns. Perhaps due to the private nature of a mobile phone. People don’t find themselves as much on their guard as when they’re using their computer and an email arrives.
Targets are totally unaware
If you’re a high-value target, it can be worth a malicious social engineer spending considerable time and effort piecing together a complete picture of you. To build what’s called a synthetic identity. Social engineers patiently piece together information from a variety of sources, including information from intermediate victims. They do this until gaining a coherent picture of their eventual target. Done well, intermediate victims are totally unaware that any of their actions, in terms of providing information or performing an action requested by the social engineer. These victims will be totally unaware that they’re actually contributing to the problem. It’s the combination of all of this gleaned information that enables the impersonator to attain their eventual goal.
If you’re a high-value target, they will invest an awful lot of effort into developing a synthetic identity prior to launching their attack. Impersonators may build up a synthetic profile of you, or your company.
How they obtain your information
The ways of obtaining information include: stalking you on social media. They may follow you online, trying to ‘friend’ you on social media sites. They may head straight to your company website. It is surprising how much personal and semi-confidential information is revealed on company websites.
This is a preview lecture from our online course ‘Information Security Awareness’, for the full course please visit https://www.udemy.com/information-security-awareness-an-introduction-for-uk-smes/