The most popular social engineering techniques in 2021
Over the past few years, cyber fraudsters specializing in social engineering have begun to use more advanced methods to gain access to the information they need, taking into account the modern psychology of both corporate employees and humanity in general.
Over the past few years, cyber fraudsters specializing in social engineering have begun to use more advanced methods to gain access to the information they need, taking into account the modern psychology of both corporate employees and humanity in general. To learn how to counter all sorts of tricks, it is necessary to understand the general tactics used by attackers. In this article, we'll take a look at the most common approaches in social engineering.
Introduction The term "social engineering" first appeared in everyday life in the 90s with the submission of the very famous cybersecurity specialist and former hacker Kevin Mitnick. However, attackers used similar methods long before the official concept took shape. Experts believe that modern cyber fraudsters pursue two main goals: stealing passwords and installing malware. Attackers use social engineering through telephone, email and web pages. Below are the main methods of obtaining confidential information.
Tactic # 1. The six handshake theory
A key goal of an attacker using social engineering over the phone is to convince the victim that either a work colleague or a government official (such as a law enforcement officer or auditor) is calling. When a fraudster wants to collect information on a specific person, he may first try to get the necessary information from the victim's work colleagues. According to one old theory, there are only six handshakes between the attacker and the victim. Experts recommend that you be extra vigilant when it's not clear what a co-worker wants from you.
Usually, an attacker contacts a secretary (or an employee in a similar position) in order to collect information on people with a higher position in the corporate hierarchy. Experts believe that a friendly tone helps scammers in many ways. Slowly but persistently, criminals are picking the right keys for you, and it is often just a matter of time before it gets the right information that you would never share.
Tactic # 2. Use of corporate vocabulary
Each industry has its own specific terms. To be more persuasive and sophisticated when using social engineering, attackers will study the peculiarities of the corporate language and culture. If the fraudster speaks with the victim in the same language, then he will begin to inspire confidence much faster, which means that he will get the necessary information faster.
Tactic # 3. Using familiar tunes
To successfully execute an attack, an attacker must have time, persistence, and patience. Typically, socially engineered cyberattacks are slow and data on future victims is collected regularly. The main goal is to gain trust and subsequent deception. For example, an attacker might convince that he is talking to someone on behalf of a work colleague. One of the key techniques in this situation is the melody that is used in the company while waiting for a call. The attacker first listens and records the melody, and then, during a conversation with the victim, he can unexpectedly interrupt the conversation and say something like "Wait, I have an incoming call on the second line." The victim hears familiar music and becomes even more convinced that there is a company employee on the other end of the line. In fact,
Tactic # 4. Fake CallerID
Criminals often resort to fake phone numbers by spoofing Caller ID. For example, a fraudster can call from his home, and the corporate number of the company will be displayed on the victim's phone display. Naturally, in most cases, an unsuspecting employee will pass on confidential information, including passwords. This trick also helps to cover your tracks, since the callback to the displayed number will be made within the corporate network.
Tactic # 5. Using the news background
Regardless of the current news, attackers will always find a way to exploit the current situation, such as the presidential campaign or the economic crisis, for spam, phishing, and other deception schemes. Such messages often contain links to infected sites with malware disguised as useful programs.
Phishing attacks on banks are very similar to each other. It all starts with an e-mail similar to the following: “Another Bank [name] acquires your Bank [name]. Please follow the link and check that your data is up to date. "Do I need to say that we are dealing with an attempt to obtain information that an attacker can either sell to the side or use to steal money from your account.
Tactic # 6. Hacking a social media account
It's no secret that Facebook and LinkedIn are hugely popular social networks. Many studies show that users tend to trust these platforms. Incidents of targeted phishing against LinkedIn users support this hypothesis. Often, the attackers' strategy is based on the fact that fake technical work notices are sent out on the social network, and users are invited to update the information. Therefore, in various memos, it is recommended that company employees enter addresses manually, rather than clicking on phishing links in emails. In addition, it should be noted that sites rarely send requests to users to update their personal information.
Tactic # 7. Typesquatting
This technique is based on the fact that people make mistakes when typing addresses in the browser. Accordingly, during an erroneous input, the victim may be redirected to the site created by the attacker. In the beginning, cyber fraudsters thoroughly prepare the ground for the implementation of this scheme. They figure out variants of typos and create a website that looks like two peas in a pod similar to a legitimate one. Thus, a typographical error in one symbol could lead you to a copy, the purpose of which is to collect personal data or spread malware.
Tactic # 8. FUD
Fear, uncertainty and doubt (fear, uncertainty, doubt; FUD) are often the main psychological manipulations used in marketing. The essence of many techniques boils down to the fact that the user becomes insecure or doubts about something (for example, a product or a company) and, as a result, begins to feel fear and take rash actions. Recent research suggests that product security and vulnerability can affect the stock market. For example, researchers tracked the impact of the Patch Tuesday event on Microsoft stock. The results show that there were significant fluctuations in the stock chart after the release of the vulnerability reports. You can also recall the story when attackers in 2008 spread fake news about the state of Steve Jobs, after which Apple's shares fell sharply. This is the most striking example of the use of the FUD technique for malicious purposes. In addition, you should beware of spam messages that aimed at artificially raising prices, for example, in the stock market or in the cryptocurrency market. In such cases, attackers can send emails telling them about the overwhelming potential of specific stocks / coins that were purchased in advance. Further, many will want to buy these shares as soon as possible, and prices will skyrocket. After the scammers sell their shares, the price will fall again.
Conclusion
Cyber fraudsters usually resort to very sophisticated social engineering techniques. After familiarizing yourself with the methods above, we can conclude that attackers achieve their goal using various psychological tricks. Thus, it is important to pay attention to every little detail that can reveal scammers. Check and double-check information about people who are trying to contact you, especially when it comes to the disclosure of confidential information.
