Social engineering is nothing new, it’s been happening for centuries. But online, the effects of social engineering can be disastrous as many differing types of accounts can be compromised, deleted or used for information gain. Social engineering is the term for the process of socially tricking someone into giving out information which can be used for the attacker’s agenda. For instance, if someone pretends to befriend you and gain your trust only to gain information from you, this is social engineering. In this article, we will look at the top 5 social engineering attacks that you need to be on the lookout for. We will also look at how you can protect yourself, your online accounts and your data from these attacks.
Top 5 social engineering attacks
Phishing is one of the top 5 social engineering attacks as it involves the use of faked emails, websites or other online content designed to look like a legitimate (and usually popular) login site. For instance, a site that is designed to look exactly like the login page for Facebook or Twitter could be used to steal usernames and passwords. Usually, a faked email that is designed to look like it is from one of the sites will inform the user that his account has been compromised and he needs to visit this link to change his password. The user clicks the link, is taken to the fake login page and unknowingly gives out his login information.
Other phishing attacks are more harmful as they involve financial institutions such as banks or PayPal, as well as fake credit card scams, money wire scams and lottery scams. Here is an example of an actual PayPal phishing email in which the attacker impersonated a PayPal employee.
“It has come to our attention that 98 percent of all fraudulent transactions are caused by members using stolen credit cards to purchase or sell non-existent items. Thus, we require our members to add a debit/check card to their billing records as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. Your debit/check card will only be used to identify you. If you could please take 5-10 minutes out of your online experience and renew your records, you will not run into any future problems with the PayPal service. However, failure to confirm your records will result in your account suspension.”
The email included the link to a website that was designed to look like PayPal and requested the user to update their credit card information. Many users unknowingly gave out their credit card information which was then obtained by the attacker.
As most computer users are not very computer-literate, they are always happy to accept help from tech support. Social engineers are able to use this lack of knowledge and fear to obtain access to their information and accounts by pretending to be tech support agents. Often these attackers will use phone calls but they will also use emails, instant message, chat or other messaging systems to get their message through. Here is an example of a social engineering phone call or instant message could go down.
Attacker: “Hey, this is Charles with tech support. We had some attacks on our system and noticed that several passwords could have been stolen. We are requesting that everyone changes their passwords immediately to protect the account. It’s possible that your password could have been one that was stolen, so if it’s okay, I’ll help you through the process.”
Unsuspecting user: “Oh my! Certainly, please do! Thank you.”
Attacker: “Okay, just click on “change password.” Please choose a strong password that includes lowercase, uppercase and numbers to prevent hackers from getting access to your password again. What password would you like to use?”
Unsuspecting user: “okay…what about VisCeral80372? Does that sound like it’s secure enough?”
Attacker: “Yes, that sounds perfect. Please type in your new password and click on the OK button. Thank you for helping us keep your computer secured.”
Give users what they want
This may be the most common of the top 5 social engineering attacks as it usually targets users who are already involved in illegally downloading files such as movies, programs or music. The attacker purposely adds malware to the file and then purports it as an early-release DVD copy or music album pre-release. Users eagerly download the file and open it. Those without anti-virus or other security on their computer will unknowingly install the software which will then track their activity on the computer and steal passwords, user names, credit card information, bank information and much more.
By using this form of social engineering at the right time, such as a few weeks before a movie appears at a theater or before an album is released, the attacker plays on the eagerness of users that want to get early access to the file and it can affect thousands of computers before it is shut down.
Pay for information
Social engineers don’t often just walk up to you and offer to pay for information but they will go to other lengths to steal your information by giving you something in return for it that’s worth something to you. Offers may include free ringtones, free games, free T-shirts, gift certificates or even money sent directly to your PayPal account. Often times, the offer sounds too good to be true and is completely fake, but you would be amazed at how many users eagerly input their information expecting to receive something free or money in return.
This one made the list if the top 5 social engineering attacks because “fake friends” are becoming far too common. This happens when a person befriends you or interacts with you for the sole purpose of obtaining information from you. Maybe the person is smoking outside the building when you walk in through a restricted area door and they follow you in, perhaps even thanking you and asking how your day is going. Perhaps it’s someone who wants to borrow your phone to make a call or laptop to check their email. There is any number of ways that attackers will attempt to befriend people or even appear like a person in distress in order to gain information from unsuspecting victims.
So now the question becomes- what if I fell for one of these scams?
My account was compromised and my data was deleted!
I’ll use Gmail as an example of a compromised account although this can happen to any web account. So you fell from one of these scams and not only did the attacker get your information and access your Gmail account, he deleted all your Gmail emails! Years of emails and attachments- GONE! Okay, no problem, just go to your backup account and restore…wait, what? You don’t have a backup account? I am so sorry…
The solution is cloudHQ. CloudHQ is a cloud backup and synchronization service that that provides backup for cloud accounts and Gmail. So if you think Google is protecting all of your Gmail emails, you may want to think again. Once your account is compromised, Google’s system thinks the intruder is YOU and respectfully obeys his wishes and commands. So when he tells the system to delete all emails, they go to the Trash. Then he goes to the trash and deletes the emails permanently. I don’t need to explain what “permanently” means.
But if you use cloudHQ to back up your Gmail emails and attachments, you will always have a safe, secure secondary copy of all your emails and attachments. The backups are stored to separate cloud account such as a Dropbox or Box account with completely separate authentication credentials. So even if the attacker gains access to your Gmail account, he will be unable to access your backup account and you can quickly restore all emails and attachments to your Gmail account.
CloudHQ provides this service for cloud services as well, not just Gmail accounts. You can back up your Dropbox, Box, SkyDrive, Evernote, Google Drive and other accounts using the same service. Sign up now for your 15 day free trial and have instant protection “just in case” you fall for one of these scams. Once it happens, it will be too late. Get cloudHQ protection now.
- Business IT Security Tip – Be aware of “Social Engineering” – phishing (topsectechnology.wordpress.com)
- Something smells phishy. The importance of Social Engineering Training (concise-courses.com)
- Experts Concerned About Ubisoft’s Password Encryption Practices (news.softpedia.com)
- It’s Easy to Protect Yourself from the “Phishing” Net Ally Bank Works to Keep Your Money Secure (ally.com)
- Scambook Warns of 4th of July Scams: Patriotic Phishing and Un-American Sales (prweb.com)
- How to reduce Phishing attacks? (quatrashield.com)
- Popular Twitter Hashtag Fills up Social Engineers’ Data Base (hotforsecurity.com)
- How to Hack Facebook Account Passwords 100%? (hackingandsec.wordpress.com)
- How to hack facebook accounts? (shaunhacksit.wordpress.com)
- The Onion Gets Hacked (social-engineer.org)