Man
Professional
- Messages
- 3,106
- Reaction score
- 665
- Points
- 113
Many people imagine a hacker as a person with a bunch of tricky devices, programs, monitors and energy drinks.
In fact, the typical Internet fraudster has not hacked anyone for a long time. He collects data about a person from open sources, and then uses it to persuade him to transfer money. This is called social engineering. When scammers pretend to be police officers, the Central Bank, and the FBI, this is just an example of this method of deception.
I'll tell you about social engineering and how to protect yourself from it.
You will find out
In other words, social engineering is when scammers try to force a person to do something that is against his interests.
It is not necessary to communicate directly with the victim - by voice or correspondence. Sometimes it is enough to create conditions for a person to deceive himself. For example, send him a notification about compensation for viewing advertising on the Internet, which will be transferred to the account immediately after "paying the tax".
Requests to lend money on behalf of hacked acquaintances or fake calls to transfer money for treatment are classic examples of social engineering.
Fake reviews on “compensation” sites are also an example of social engineering. They create the illusion that someone is actually being paid money, persuading the victim to do what the scammers want.
Sometimes we help scammers learn more about ourselves. Remember, have you ever seen surveys on social networks asking about the brand of your first car or asking to like if you were born in 1990? The answers help scammers guess the password to your account or guess the code word at the bank.
Experts call such preparation "the zero stage of an attack." Thanks to the information received, it is easier for scammers to gain trust. They can write on behalf of the director, name the names and positions of colleagues, and then ask to answer a call "from the FSB" or "from the Central Bank."
As a result, even those who know about their schemes and are well versed in technology give money to the scammers. For example, due to good preparation on the part of the scammers and subsequent social engineering, millions of rubles were transferred by a doctor of physical and mathematical sciences, a FBI lieutenant colonel, bank employees and programmers.
And one scientist, who was predicted to win the Nobel Prize, ended up in prison for five years because he trusted a fake beauty from the Internet and became an unwitting accomplice in drug smuggling. We analyzed this story in the article “Why People Fall for Stupid Scams.”
Most hackers switched from writing viruses to writing scripts for calls or spam letters. As a result, the number of social engineering methods began to grow exponentially: each group of fraudsters comes up with something of their own.
According to Positive Technologies, social engineering accounts for 83% of attacks. Here are the most popular and unusual types.
Phishing. This is when a fraudster tries to deceive someone into accessing important information: logins and passwords, bank card and passport details, verification codes, intimate photos, important correspondence - anything that helps steal money.
Vishing, or voice phishing. The quintessence of social engineering — those same calls from the bank, police, FSB, KGB and other abbreviations. Interesting statistics: 60% of divorces in Russia occur through phone calls.
Smishing. This is phishing via SMS. For example, I once received an SMS with a login and password for a wallet that contained millions of cryptodollars. The scammers hoped that in a fit of greed I would go to the site, try to withdraw money to my account and pay a commission for the transfer. I analyzed this scheme in a separate article.
The scammers didn't contact me in any way - they just sent me a text message, and then I had to go to the site and deceive myself. This is also a form of social engineering
Beiting, or "road apple". For example, a hacker leaves a flash drive near the office with the inscription "Bitcoin wallet password" or a disk "Management payroll". The expectation is that one of the employees will insert the drive into their computer, infect it with a virus and thereby give the hacker access to the company's internal network.
Spoofing. In the context of network security, this is any attack where the attacker somehow disguises themselves or their actions as something the user trusts. For example, they might study the victim's social networks, fake the profile of a friend or relative, and then write on their behalf and ask for a loan.
Reverse social engineering. This term has two meanings. The first is from the world of security specialists, when they play along with a scammer in order to identify him and punish him.
The second is when the fraudster does not interfere, but helps his victim in order to gain their trust. In some job search scams, the fraudsters first transfer a small amount to the applicant for a test task. And then they offer to start earning full-time - and ask to deposit several times more into the "working account".
Quid pro quo, a favor for a favor. The method is similar to reverse social engineering. The fraudster creates a situation in which he imposes his help on a potential victim. For example, he calls and says that a person's bank account is being attacked, but he, a valiant employee of the Central Bank, will help protect the money.
After some manipulations, the fraudster says that he has repelled the attack, but now he needs to identify the criminal. To do this, he asks the victim to help in the investigation: for example, to transfer money to a certain account so that the Central Bank can track the flow. The money, of course , will be returned immediately, and a bonus for cooperation will be added.
The person who has just been "saved" wants to thank the "specialist" - and transfers money. Of course, no one will return it, and the fraudster will immediately hang up.
Shoulder surfing. A fashionable name for ordinary peeping. Have you noticed that nothing is visible on the ATM screen if you look at it at a slight angle? This is precisely to protect against peeping from behind the shoulder: some experts consider this a form of social engineering.
Despite its banality, this method can cause serious damage to a company. Imagine that there is a door with a code lock at the entrance to the office: an intruder can watch over the shoulder as the employee enters the code, and then freely enter the office.
In the office itself, a swindler can eavesdrop on a confidential conversation or spy on a password that an accountant has written on a piece of paper on the monitor in the old-fashioned way.
Tailgating, or Piggyback, is another real-world attack. This is the name given to a phenomenon where an intruder gains access to a restricted area with outside help. For example, he catches a random employee at the office entrance, says he forgot his pass, and asks to let him in.
You may have encountered a more common example if you often ride the subway during rush hour. Some fare dodgers join honest passengers in order to get through the turnstile - this is tailgating.
Diversion Theft, theft with sabotage. Imagine that you ordered delivery from an online store. The courier is still nowhere to be found, and suddenly you see a notification that the order has been delivered.
All because a fraudster came to your house, started looking for the courier - and intercepted him. The criminal pretended to be you and said that he had just gone out to take out the trash, and left his passport at home. But why should the courier wait when he can hand over the order and go about his business.
With the right level of charisma, such swindlers can persuade not only a pizza delivery guy, but even a courier with a brand new expensive smartphone.
Pretexting, or pretext attack. A method where the scammer first puts on an innocent show to warm up the potential victim: for example, conducting a survey about favorite music groups. And then asking to leave bank card details to receive a reward. Or posing as an employer's technical support service, asking the usual questions, and then asking for the login and password from the account to update something . Scams with filling out questionnaires and surveys also use this technique.
Scareware, scare tactic. Banners about your device being infected with a thousand viruses, emails demanding payment for some incriminating evidence – basically, anything that should cause fear and alarm. To some extent, calls “from the police” that someone is taking out a loan in your name right now can also be attributed to this method.
The Ministry of Internal Affairs asks to transfer the fine for watching adult videos by phone number. Of course , this is not a new government service, but a scare tactic for scammers
The human behavior model looks complicated: there are hundreds of parameters that influence our decisions. But if we try to simplify, the brain has only two routes along which it sends thought processes: “central” and “peripheral”.
The "central" route works in a state of rest. The brain has the resources and time to carefully process the information received and issue a logical conclusion. That is why, when we sit in front of the screen with a cup of coffee and read how a pensioner threw 900 thousand rubles out of the window because of threats on the phone, we just want to smirk: "She's completely out of her mind! She could have just hung up! Who even falls for that?"
And here's why people fall for it: when they call and scare you that all the money in your account is about to disappear, your brain switches your decisions to a "peripheral" route. The signals in your head start going not through a chain of filters, but through an affective reaction.
Once upon a time , in cave times, an affective reaction allowed our ancestors not to think about whether to run away from a strange toothy cat, but to instantly make a decision, preserving life. These are our basic instincts: fight, run, freeze.
Unfortunately, in our times freer from saber-toothed cats, affective reaction helps scammers hack into other people's thinking. They evoke emotion in a person and immediately get the reaction they need. That is why some victims describe their state as "I acted as if I was acting automatically."
In a calm state, the brain processes the decision through many filters, as on the route on the right. But in moments of stress, all filters are switched off and decisions are made instantly, as on the route on the left.
It is not necessary to scare a person: you can make him irritated, curious, or even want to help. Security experts call the emotions that scammers press on vectors. Among the vectors, inattention is also singled out: although this is not an emotion, but a person’s state, scammers often count on it.
Vectors have amplifiers: for example, authority and urgency. They act as catalysts and increase the success of an attack. At some point, fraudsters stopped introducing themselves as bank security officers and began calling on behalf of an "FSB colonel for economic crimes" or a "leading specialist of the Central Bank": after all, this sounds more authoritative, and therefore has a greater chance of scaring a person and making him act thoughtlessly.
The likelihood of a successful scam also increases when the scammers are able to figure out a person's actual needs. That's why so many scams involve promises of money - and why those who need it most suffer.
Social engineering is not just about making threats over the phone. Fraudsters can exploit the full range of human emotions, backing them up with amplifiers: urgency and authority
Fraudsters' methods are complex and varied, and they are constantly coming up with something new. But the main thing is an attack on emotions. If you feel fear, anxiety, or irritation during a call from a stranger, this is a reason to interrupt the conversation, calm down, and call back yourself.
If a "bank employee" said that your money is in danger, call the bank back using the number on the official website or from your bank card. If an "FSB colonel" said that you have become a suspect in an investigation, call the FBI hotline. If a "doctor" said that your relative has been hospitalized and you urgently need to transfer money for treatment, call your relative back.
It can be difficult to cope with emotions. The “take a break” technique helps you recognize pressure in time: if you are caught off guard, do not react immediately, let your brain switch to a new task. Read more about this technique in the first lesson of the free course “How to protect yourself from scammers”. This course will also help you develop your observation skills and teach you to recognize most popular scams.
Source
In fact, the typical Internet fraudster has not hacked anyone for a long time. He collects data about a person from open sources, and then uses it to persuade him to transfer money. This is called social engineering. When scammers pretend to be police officers, the Central Bank, and the FBI, this is just an example of this method of deception.
I'll tell you about social engineering and how to protect yourself from it.
You will find out
- What is social engineering
- What is a zero stage attack?
- Social engineering methods
- Why social engineering works
- How to recognize social engineering
- How to protect yourself from scammers
What is social engineering
In the context of information security, this term refers to a set of psychological manipulation methods. The goal of fraudsters who use social engineering is to force a person to give out confidential information, provide access to protected resources, or transfer money to the attackers' account.In other words, social engineering is when scammers try to force a person to do something that is against his interests.
It is not necessary to communicate directly with the victim - by voice or correspondence. Sometimes it is enough to create conditions for a person to deceive himself. For example, send him a notification about compensation for viewing advertising on the Internet, which will be transferred to the account immediately after "paying the tax".
Requests to lend money on behalf of hacked acquaintances or fake calls to transfer money for treatment are classic examples of social engineering.
Fake reviews on “compensation” sites are also an example of social engineering. They create the illusion that someone is actually being paid money, persuading the victim to do what the scammers want.
It all starts with the zero stage of the attack
Forcing a person to do something they don't want to do is not the easiest task. To do this, fraudsters need to collect at least minimal information about them: their name, how old they are, what bank they have accounts in - for example, if we are talking about schemes related to a "safe account".Sometimes we help scammers learn more about ourselves. Remember, have you ever seen surveys on social networks asking about the brand of your first car or asking to like if you were born in 1990? The answers help scammers guess the password to your account or guess the code word at the bank.
Experts call such preparation "the zero stage of an attack." Thanks to the information received, it is easier for scammers to gain trust. They can write on behalf of the director, name the names and positions of colleagues, and then ask to answer a call "from the FSB" or "from the Central Bank."
As a result, even those who know about their schemes and are well versed in technology give money to the scammers. For example, due to good preparation on the part of the scammers and subsequent social engineering, millions of rubles were transferred by a doctor of physical and mathematical sciences, a FBI lieutenant colonel, bank employees and programmers.
And one scientist, who was predicted to win the Nobel Prize, ended up in prison for five years because he trusted a fake beauty from the Internet and became an unwitting accomplice in drug smuggling. We analyzed this story in the article “Why People Fall for Stupid Scams.”
Social engineering methods
Social engineering is as much a fraudster's tool as a camera is a photographer's or a steering wheel is a driver's. It is often much easier to hack a person's brain than a computer.Most hackers switched from writing viruses to writing scripts for calls or spam letters. As a result, the number of social engineering methods began to grow exponentially: each group of fraudsters comes up with something of their own.
According to Positive Technologies, social engineering accounts for 83% of attacks. Here are the most popular and unusual types.
Phishing. This is when a fraudster tries to deceive someone into accessing important information: logins and passwords, bank card and passport details, verification codes, intimate photos, important correspondence - anything that helps steal money.
Vishing, or voice phishing. The quintessence of social engineering — those same calls from the bank, police, FSB, KGB and other abbreviations. Interesting statistics: 60% of divorces in Russia occur through phone calls.
Smishing. This is phishing via SMS. For example, I once received an SMS with a login and password for a wallet that contained millions of cryptodollars. The scammers hoped that in a fit of greed I would go to the site, try to withdraw money to my account and pay a commission for the transfer. I analyzed this scheme in a separate article.
The scammers didn't contact me in any way - they just sent me a text message, and then I had to go to the site and deceive myself. This is also a form of social engineering
Beiting, or "road apple". For example, a hacker leaves a flash drive near the office with the inscription "Bitcoin wallet password" or a disk "Management payroll". The expectation is that one of the employees will insert the drive into their computer, infect it with a virus and thereby give the hacker access to the company's internal network.
Spoofing. In the context of network security, this is any attack where the attacker somehow disguises themselves or their actions as something the user trusts. For example, they might study the victim's social networks, fake the profile of a friend or relative, and then write on their behalf and ask for a loan.
Reverse social engineering. This term has two meanings. The first is from the world of security specialists, when they play along with a scammer in order to identify him and punish him.
The second is when the fraudster does not interfere, but helps his victim in order to gain their trust. In some job search scams, the fraudsters first transfer a small amount to the applicant for a test task. And then they offer to start earning full-time - and ask to deposit several times more into the "working account".
Quid pro quo, a favor for a favor. The method is similar to reverse social engineering. The fraudster creates a situation in which he imposes his help on a potential victim. For example, he calls and says that a person's bank account is being attacked, but he, a valiant employee of the Central Bank, will help protect the money.
After some manipulations, the fraudster says that he has repelled the attack, but now he needs to identify the criminal. To do this, he asks the victim to help in the investigation: for example, to transfer money to a certain account so that the Central Bank can track the flow. The money, of course , will be returned immediately, and a bonus for cooperation will be added.
The person who has just been "saved" wants to thank the "specialist" - and transfers money. Of course, no one will return it, and the fraudster will immediately hang up.
Shoulder surfing. A fashionable name for ordinary peeping. Have you noticed that nothing is visible on the ATM screen if you look at it at a slight angle? This is precisely to protect against peeping from behind the shoulder: some experts consider this a form of social engineering.
Despite its banality, this method can cause serious damage to a company. Imagine that there is a door with a code lock at the entrance to the office: an intruder can watch over the shoulder as the employee enters the code, and then freely enter the office.
In the office itself, a swindler can eavesdrop on a confidential conversation or spy on a password that an accountant has written on a piece of paper on the monitor in the old-fashioned way.
Tailgating, or Piggyback, is another real-world attack. This is the name given to a phenomenon where an intruder gains access to a restricted area with outside help. For example, he catches a random employee at the office entrance, says he forgot his pass, and asks to let him in.
You may have encountered a more common example if you often ride the subway during rush hour. Some fare dodgers join honest passengers in order to get through the turnstile - this is tailgating.
Diversion Theft, theft with sabotage. Imagine that you ordered delivery from an online store. The courier is still nowhere to be found, and suddenly you see a notification that the order has been delivered.
All because a fraudster came to your house, started looking for the courier - and intercepted him. The criminal pretended to be you and said that he had just gone out to take out the trash, and left his passport at home. But why should the courier wait when he can hand over the order and go about his business.
With the right level of charisma, such swindlers can persuade not only a pizza delivery guy, but even a courier with a brand new expensive smartphone.
Pretexting, or pretext attack. A method where the scammer first puts on an innocent show to warm up the potential victim: for example, conducting a survey about favorite music groups. And then asking to leave bank card details to receive a reward. Or posing as an employer's technical support service, asking the usual questions, and then asking for the login and password from the account to update something . Scams with filling out questionnaires and surveys also use this technique.
Scareware, scare tactic. Banners about your device being infected with a thousand viruses, emails demanding payment for some incriminating evidence – basically, anything that should cause fear and alarm. To some extent, calls “from the police” that someone is taking out a loan in your name right now can also be attributed to this method.
The Ministry of Internal Affairs asks to transfer the fine for watching adult videos by phone number. Of course , this is not a new government service, but a scare tactic for scammers
Why social engineering works
Professional scammers are good psychologists. They turn off our critical thinking by using the brain's instincts. As a result, people fall for it not because they are stupid, but because their brain has switched to "primal mode".The human behavior model looks complicated: there are hundreds of parameters that influence our decisions. But if we try to simplify, the brain has only two routes along which it sends thought processes: “central” and “peripheral”.
The "central" route works in a state of rest. The brain has the resources and time to carefully process the information received and issue a logical conclusion. That is why, when we sit in front of the screen with a cup of coffee and read how a pensioner threw 900 thousand rubles out of the window because of threats on the phone, we just want to smirk: "She's completely out of her mind! She could have just hung up! Who even falls for that?"
And here's why people fall for it: when they call and scare you that all the money in your account is about to disappear, your brain switches your decisions to a "peripheral" route. The signals in your head start going not through a chain of filters, but through an affective reaction.
Once upon a time , in cave times, an affective reaction allowed our ancestors not to think about whether to run away from a strange toothy cat, but to instantly make a decision, preserving life. These are our basic instincts: fight, run, freeze.
Unfortunately, in our times freer from saber-toothed cats, affective reaction helps scammers hack into other people's thinking. They evoke emotion in a person and immediately get the reaction they need. That is why some victims describe their state as "I acted as if I was acting automatically."
In a calm state, the brain processes the decision through many filters, as on the route on the right. But in moments of stress, all filters are switched off and decisions are made instantly, as on the route on the left.
How to recognize social engineering
The key to successful social engineering is to use human emotions. Therefore, the main rule is: if you are scared, rushed, threatened - it may be an attack using social engineering.It is not necessary to scare a person: you can make him irritated, curious, or even want to help. Security experts call the emotions that scammers press on vectors. Among the vectors, inattention is also singled out: although this is not an emotion, but a person’s state, scammers often count on it.
Vectors have amplifiers: for example, authority and urgency. They act as catalysts and increase the success of an attack. At some point, fraudsters stopped introducing themselves as bank security officers and began calling on behalf of an "FSB colonel for economic crimes" or a "leading specialist of the Central Bank": after all, this sounds more authoritative, and therefore has a greater chance of scaring a person and making him act thoughtlessly.
The likelihood of a successful scam also increases when the scammers are able to figure out a person's actual needs. That's why so many scams involve promises of money - and why those who need it most suffer.
Social engineering is not just about making threats over the phone. Fraudsters can exploit the full range of human emotions, backing them up with amplifiers: urgency and authority
How to protect yourself from social engineering
Read about scammers and scams. This will help you spot a scam when you encounter one. Over time, you will learn to recognize a scam even if you have never heard of one: your brain will automatically recognize the red flags.Fraudsters' methods are complex and varied, and they are constantly coming up with something new. But the main thing is an attack on emotions. If you feel fear, anxiety, or irritation during a call from a stranger, this is a reason to interrupt the conversation, calm down, and call back yourself.
If a "bank employee" said that your money is in danger, call the bank back using the number on the official website or from your bank card. If an "FSB colonel" said that you have become a suspect in an investigation, call the FBI hotline. If a "doctor" said that your relative has been hospitalized and you urgently need to transfer money for treatment, call your relative back.
It can be difficult to cope with emotions. The “take a break” technique helps you recognize pressure in time: if you are caught off guard, do not react immediately, let your brain switch to a new task. Read more about this technique in the first lesson of the free course “How to protect yourself from scammers”. This course will also help you develop your observation skills and teach you to recognize most popular scams.
Source
