{"id":82602,"date":"2020-10-03T20:14:08","date_gmt":"2020-10-04T00:14:08","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-12-20T13:26:27","modified_gmt":"2021-12-20T18:26:27","slug":"seven-social-engineering-classics","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/seven-social-engineering-classics\/","title":{"rendered":"Seven Social Engineering Classics"},"content":{"rendered":"

\"Seven<\/a>Social engineering<\/strong> describes various non-technical attack techniques cybercriminals use to manipulate users. <\/strong>The attackers hope the user will bypass security or other business process protocols, perform harmful actions, or disclose sensitive information. Beware of these social engineering classics.<\/p>\n

Business Email Compromise<\/h3>\n

\"Business\u00a0Email\u00a0Compromise\"<\/a>Don’t get fooled by official-looking emails even though the email appears to be work-related. Subject lines such as “Invoice Attached” or “Here’s the file you needed” might be a social engineering classic. To be sure, you should hover your cursor over email addresses and links before clicking to see if the sender and type of file are legitimate. BEC is the most costly form<\/a> of cybercrime. It stems from faked emails called “Business Email Compromise<\/strong>” or BEC scams. A typical BEC scam involves phony emails<\/strong> in which the attacker\u00a0spoofs a message from an executive<\/strong> at a company\u00a0and tricks someone into wiring funds<\/strong> to the fraudsters.<\/p>\n

\"Vishing\"<\/a><\/strong>Vishing<\/h3>\n

Corporate phone systems are often set up to forward voice mail audio files <\/strong>to employees’ inboxes. While this is convenient, forwarding the files can be risky. It makes it harder to determine if the email is phony or legit. Since 2014, scammers have been installing malicious software through emails designed to look like internal voicemail messages, making vishing a social engineering classic.<\/p>\n

With vishing, cybercriminals use an urgent or alarming voicemail message to try to get potential victims to call back with their personal information. Fake caller ID\u00a0information<\/strong> is often used to make the calls appear to be from a legitimate organization or business.<\/p>\n

Free Stuff, a social engineering classic<\/h3>\n

\"Free<\/a>Free Stuff is one of the oldest social engineering classics. Most people can’t resist free Stuff, from pizza to software downloads, and they will click just about any link to get it. Of course, nothing is truly free. Sophisticated attackers might send a link to genuine free software, but they’re sending you through their website, which means you may get\u00a0infected or compromised<\/strong>.<\/p>\n

Baiting<\/h3>\n

Baiting is a variant of “Free Stuff.” The attacker hopes to trick their victims into executing code by piquing their curiosity<\/strong> or convincing them to run hardware or software with hidden malware<\/strong>. For example, innocent-looking USB sticks<\/strong> handed out at a conference or casually “dropped” in the parking could contain malware. They then detonate when the curious user plugs it into their PC. This is how Stuxnet<\/a> attacked the Iranian nuclear program.<\/p>\n

Quid pro quo social engineering classic<\/h3>\n

\"Seven<\/a>Another version of “Free Stuff.” In Latin, Quid pro quo means “something for something.” In exchange, the attacker offers something of genuine worth to the victim and will work their way into the target’s network. An example: The attacker poses as tech support<\/a> and solves a problem for you, then convinces you to type in a line of code that serves as a “backdoor.” On the other hand, it may be as simple as trading a candy bar<\/a> in exchange for a password!<\/p>\n

Waterholing<\/h3>\n

This attack plants malware on a website you and your colleagues frequently visit. The next time you surf the site, the malware\u2014such as a remote-access <\/a>Trojan or\u00a0RAT\u2014is downloaded to your computer. And just like that, the attacker can begin exfiltrating data from your employer’s network.<\/p>\n

Pretexting<\/h3>\n

Pretexting is another form of social engineering in which attackers focus on creating a fabricated scenario that they can use to try to steal their information. It is a true con game. <\/strong>It\u00a0relies on the crook fostering a sense of trust<\/strong> in the victim.<\/p>\n

\"Pretexting\"<\/p>\n

Pretexting can also impersonate co-workers, police, banks, or tax authorities. It pretends to be any individual who could have perceived authority or right-to-know in the targeted victim’s mind. In some cases, all that is needed is an authoritative voice, an earnest tone, and an ability to think on one’s feet to create a pretext scenario.<\/p>\n

Stay safe out there!<\/a><\/strong><\/em><\/p>\n

Related article<\/strong><\/p>\n