Tricking unsuspecting individuals out of money or information is nothing new. Thieves have been preying on such individuals almost since the beginning of civilization. The same holds true for today, only in the modern era of technology, trickery may still occur on the streets, but it has the potential of proving substantially more profitable online. Tricking people into offering routing numbers in order to unfreeze money from a Nigerian prince to providing Social Security and driver's license numbers in exchange for winning a "free car," these kinds of tricks continue on today. In the early days of the Internet, most victims simply didn't realize there were those people out there who would use the Internet for such misdeeds. Now, the majority of Internet users understand the potential for illegal online activities. Despite this, online scams relying on trickery continue on, many in the form of social engineering attacks. Here are some of the more common social engineering attacks to look out for and why each is so successful.
What is a Social Engineering Attack?
The basic principle of a social engineering attack is the ability to manipulate an individual into providing desired information. This information is typically confidential, such as a credit card number, routing information, login/password, or other data the requesting should not have access to. It is an illegal act with the threat of criminal prosecution (should the perpetrator ever be identified and arrested for their action).
Most Internet criminals turn to social engineering attacks due to the simplicity of it. Attempting to worm into an individual's personal computer through a back wall or through cracks in a program can prove both timely and difficult (especially to less skilled hackers). However, as a social engineering attack requires very little in way of expertise or even hacking knowledge, more of such engineering attacks are common (Tech Target, 2014).
The Most Common Social Engineering Attacks
These attacks have experience some evolution in how the attacks attempt to obtain information from victims, yet many of these attack forms have existed since the early days of the Internet. Due to this, the most common and successful attacks today (as of July, 2017) are likely to still be around a decade from now.
Phishing scams remain the most common forms of social engineering attacks on the Internet today. These are easy to carry out and there are many avenues to release the phishing attack. These kinds of attacks have existed since the early days of America Online's AOL AIM service, where individuals would create account names that looked similar to what AOL would use. These phishing scam messages would request a recipient to provide their login information. This eventually led to requesting credit card information and additional personal data.
Phishing scams now work in a multitude of ways. It is beyond just messaging faulty instant messages (although this still is carried out). Utilizing shorted URLs is a common practice. As shortened URLs do not carry the actual website name built into the link, it becomes far more difficult to identify the URL as fraudulent. Additionally, phishing attacks still target email accounts and realistically any other form of online communication (Cisco, 2017).
This term may not be familiar to some out there, yet it is one of the most common attack forms. Tailgating does require a bit more expertise than others such as phishing, yet it provides easier access to confidential information, especially content found behind a firewall. The process of tailgating is also referred to as piggybacking. During the attack, an outside individual walks in behind an individual who is logging into a secured network (like walking in through an automatic door someone earlier set off). This is where having heightened security measures in place is vital to identifying the second user entering the secured area. Tailgating can affect both private individuals logging onto their bank account to employees signing into their corporate log-in (Infosec Institute, 2017).
Watering Hole Attack
This is another form of attacks that does require additional insights and skill to pull off. However, a skilled hacker is able to perform this kind of an attack relatively easily (depending on the security measures put in place by the website itself). During a watering hole attack, the cyber criminal places malicious coding onto a public website. Essentially, someone visiting the website may assume it is part of the site they meant to visit, click on the injected link, and then be directed to content outside of the original site. The secondary site may be designed to look like the original page, which makes it easier to obtain information as the visitor simply assumes it is the original, authentic page.
With the additional security measures used by large websites, injecting malicious coding has become more difficult, as long as the page is secured. If the website does not incorporate secured pages, the external hacking likely won't have a problem injecting the fake coding information (Infosec Institute, 2017).
The old term might be "curiosity killed the cat," but curiosity is often what causes millions of dollars in lost assets and confidential information. This is because humans are curious. People often see something they are curious about and follow it down a deep and dark rabbit hole. This simple action can cause untold damage, both to a personal computer and to an internal office network. There are many different variations of this bating attack (which is also often referred to as a quid pro quo attack). It might be a malicious file disguised as an authentic file or simply use information based on previous website visits of the IP address and create a bait tactic based on these previous performed searches (Trip Wire, 2015).
How to Avoid Social Engineering Attacks
There are a handful of tips everyone needs to follow when spending time online. These tips will help reduce the chance of an external social engineering attack. For starters, people should never provide their own confidential information, even if the message or email looks authentic. If there is a concern regarding possible authenticity, a recipient of the message should content the company's own customer service department to find out. Second, before clicking on any links embed into email messages it is very important to look over the link to identify any possible misspellings or domain names that do not look correct. If, when opening a message there is any kind of automatic download, it may be tailgating bringing in malware. In this event, it is important to not do anything else on the computer and contact the IT department for assistance (Cisco, 2017)
Attacks over the Internet come in all directions, so maintaining a watchful eye on all network access points is vital in safeguarding a company's internal infrastructure. However, often times the weakest link to any company secured network are those who use it. By educating them on the most common social engineering attacks and why each work, employees are less likely to fall victim to these kind of problems. With additional help from spam filters and other defensive aspects, companies of all sizes should possess the ability to avoid most all social engineering attacks.