06 Mar Phishing and Social Engineering
What is social engineering?
Social engineering is the practice of obtaining confidential information by deception or direct manipulation of the victim.
It is one of the simplest and most complex security breach techniques at the same time. It is simple because it does not require the deployment of technical programming skills or tools (necessarily), but complex because it requires the ability to take advantage of the psychological aspects of the person.
The Social Engineering Cycle
- Research. It involves identifying the victim, obtaining key information to gain their trust, and choosing the best type of attack.
- Lure. It seeks to deceive the victim using some story or information that can generate their trust.
- Extraction. The attack is deployed through some technique that can be even a simple question.
- Closure. The interaction is closed by seeking to erase traces or indications that indicate that it was a premeditated attack.
Why is it so risky?
Social engineering exploits psychological human weaknesses. It then depends on the human factor. Any organization, company, or government can have the best security systems, but if someone falls into a social engineering technique, it can be said that the system is only as strong as the weakest of its elements.
Social Engineering Types
- Baiting (hook): It exploits the person’s curiosity. E.g. videos that use the morbid to get people to click on them, abandoned USB flash drives (but containing malware)
- Scareware: Exploit fear. The person is led to believe that he has a virus or his computer is damaged so that he downloads some malicious program.
- Pretext: Use questions in a well-crafted context that gives confidence to the victim.
- Phishing: Phishing refers to emails, messages, or false pages that seek to deceive the victim to extract their information.
- Spear phishing: It is phishing tailor-made for specific people or companies.
Two cases TO ANALYZE (from the Mr. Robot series)
First case: The hacker calls a user and poses as a bank fraud officer, claiming that the user’s account was compromised.
Second case: The hacker identifies a victim who he believes can be manipulated and tries to get her to leave her job to access her terminal.
First case. This is a “pretext” attack. The attacker constructs a credible context to ask personal questions to extract valuable information.
Second case. The attacker seeks to exploit fear and manipulate the victim. However, the victim is skilled although he provides access to a second victim.
Deepening PHISHING attacks
PHISHING attacks are the most common at the level of cybersecurity.
INTERPOL recorded a 569% increase in phishing cases during 2020.
There are attacks in which you try to deceive the victim through creating a false version of something they trusted, and through this process, extract valuable information:
There can be of different types of phishing:
- Fake emails
- SMS or messages via Whatsapp
- Impersonated websites
Phishing via email is the most common of all. It consists of sending an email to the victim, in which the attacker impersonates a bank, social networking platform, company or other trusted entity. The message usually includes links, asks to take action regarding any risk or to verify some missing information.
The victim will enter the link or provide the information, based on the trust they have with the entity.
To avoid falling into this type of phishing, it is enough to identify the email that sent the message and verify that it is institutional and valid. It is also recommended to read the message carefully, identify spelling errors, inconsistencies or others mistakes that make the message doubtful. Finally, avoid entering links from emails (it is preferable to enter the page of the company, bank or service, and through your console, perform the required action).
While mail services are increasingly adept at identifying potential hoaxes, attackers use messages via SMS or Whatsapp.
The technique used is simple: it is alluded that the victim has a debt, received a package, won a prize or there is some action that requires his attention. To do this, a link seems to be legitimate, or a disguised link is provided (Needles to say, the victim does not realize that it is a false link and it doesn’t have anything to do with the company it claims to be).
When clicked, the link will probably lead to a fake page that will ask for personal data (passwords, addresses, or others), or download some type of malware (harmful program) on the device.
Is important to pinpoint that if the company wants to communicate with you, it won’t send you SMS or Whatsapp messages.
Website Impersonation Systems
Phishing isn’t just about scam messages, it’s about the attacker’s ability to take the victim to a fake page.
Fake pages try to emulate all the details of the real page. That is, they are likely to be a 100% cloning (The code of any web page is easy to copy and repeat).
On the fake page the victim will be asked to enter his password or enter some personal data useful to the attacker. By doing so, this information will be saved or sent to the attacker.
The only thing that fake web pages cannot emulate are the URLs (the ones that appear in the browser), because they are unique. Therefore, to verify the legitimacy of the page, it is enough to review the URL and see that there are no errors and that the page is effectively the real page.
A good practice is Google, which makes available a direct link so that we can easily report the pages that are committing these frauds or phishing:
You might find this article interesting too!: Best Accounting Software 2023
Avoid emails or messages that don’t come from trusted sources. Especially if these include links that generate suspicion, it is preferable not to click on them.
Two-Factor Authentication (2FA) should be activated in all accounts or services (That meands, you not only require your password to enter but an extra code)
If someone calls or approaches you claiming they’re coming from a bank or the IT department. Verify his/her identity before answering questions or providing information
Be suspicious of any message that tries to infringe fear on you, looks like a tempting offer, or tells you that you won a prize for which you did not compete.
Carefully check messages, URLs, email addresses, phones where the messages come from.
To keep in mind
- All, absolutely all of our data is sensitive.
- Creating phishing campaigns is relatively easy for those who are dedicated to this.
- Falling into phishing networks is quite simple and can happen to anyone.
- Any topic related to digital and in which we have made mistakes, does not imply self-punishing or constantly claiming ourselves, we are always learning and every day there are new ways to fall into traps or scams.
- Reading the messages and paying attention to the questions they ask us, are one of the best ways to avoid falling into social engineering tricks.
- It is important to be clear that although a page has the HTTPS security certificate does not always imply security, the ideal is to go to the official site of the organization to verify that we are providing the data in the right place or call (even if it sounds like a completely outdated social practice) and verify the web address.
- NOTHING IS COMPLETELY SAFE.
Let’s talk about Social Phishing
Phishing and Social Engineering should not be terms that we do not believe are related to our daily lives.
Social engineering is a fancy and politically correct name to refer mostly to people who use digital media to access our sensitive data, ranging from our name to the payment methods we use online to take advantage of it.
Reverse social engineering
There is also reverse social engineering, which is when a person studies a program or a system to see how it works and technical details that can be taken advantage of.
Getting into the topic of phishing is always a good exercise that allows us to analyze how many times we have exposed our data to third parties or companies that are dedicated to looking for our data for scams and taking advantage of our sensitive information.
It is highly recommended to have strong passwords, for all the services we use, from our cell phones. Nowadays it is advisable to even have a password for the extended cell phone, with alphanumeric characters
Frequent practices used by people who take advantage of the information we provide are to clone bank pages. It is quite common because in them we place sensitive information and keys that we use. We must always verify with the main page or with the customer service of the entity if the page on which we are going to enter our data is reliable and is part of the services they offer, for example, verify that it has the security certificate https://
We don’t always find the easy way to make a phishing report. A good practice is Google, which makes available a direct link so that we can easily report the pages that are committing these frauds or phishing:
Report a Phishing Page (google.com)
When we think of people who are dedicated to phishing we think of the typical image of the hacker working in the dark and with a covered head and black clothes. It just couldn’t go any further from the truth…
Many of the people who engage in phishing, work in public places where they can easily be collecting data through the local Wi-Fi network.
Therefore, it is not advisable to connect to the wifi network in places you visit, and much less if you are going to enter your bank to make any transaction
Even if you have the best of passwords, it may be that the person sitting there phishing has managed to install some program on the router of the local and see what sites you are visiting and the passwords you are using
It is also very common for someone to sit with a device (it can even be a cell phone with internet) and to “offer another connection in the premises”, for example, the person will sit next to you in a cafeteria, to do phishing, because he has the same right as you to visit the café and consume the products, and then proceed to change the name of your device with wifi and will place the same name of the wifi of the cafeteria to confuse you, therefore, you will enter your internet connection and extract all your data.
It is vital to read the terms and conditions of use. It is the most boring part, but it is basic, so we will know if who “gives” us that application will sell our information or content that we place in the networks or applications and maybe they will inform us who will sell that information, we will also know what happens if the company that is giving us that service is the victim of a database theft with the information of users.
Also, it should be noted that although a page has the HTTPS security certificate does not always imply security, the ideal is to go to the official site of the organization or company to verify that we are requesting the data in the correct place or call to verify.
If you want to read articles like this subscribe to our Newsletter!
Get Our Free Book
Cybersecurity essentials for business owners