Chapter 8: Social Engineering

There's no single security device that can guard against an attacker's use of social engineering techniques. Only through continuous training and educating employees on how to identify and respond to social engineering attempts can an attacker's chances of succeeding be reduced.

We will explore the many aspects of social engineering and the ways attackers use it to accomplish their purposes, as well as how to better identify and respond to and educate and protect ourselves and our organization from its purposes.

In this chapter, we will discuss the following:

• Understanding social engineering
• Attack-vulnerable behaviors
• What makes social engineering work?
• Social engineering's attack phases
• Social engineering methods
• Threats from within
• Threats to corporate networks from social media
• Identity theft
• Countermeasures

Before proceeding with this subject, let's review some of the basic concepts of social engineering.

Understanding social engineering

So, what is the definition of social engineering?

Social engineering is the skill of persuading others to give up sensitive information to use it for malicious purposes. By using social engineering to take advantage of people, attackers can breach an organization's sensitive information even with security policies in place. Employees are often unaware of security lapses and may unknowingly give out or divulge crucial information about the organization.

Examples are answering strangers' questions or responding to spam emails without realizing it.

Social engineering's most common victims

A social engineer's most powerful tool is the vulnerability of people. People generally trust others and find enjoyment in helping and assisting people. An attacker is skillful and will take advantage of a person who is helpful.

Let's discuss some of the most common targets of social engineering in an organization:

• Receptionists and help-desk personnel: Social engineers generally target service-desk or help-desk personnel by tricking them into divulging confidential information about the organization. To extract information, such as a phone number or password, the attacker first wins the trust of the individual with the information. On winning their trust, the attacker manipulates them to get valuable information. Receptionists and help-desk staff may readily share information if they feel they are doing so to help a customer.
• Senior executives: To gather essential information about an organization, attackers could approach senior executives from various departments, such as finance, HR, and CxOs.
• Users and clients: Attackers could pose as a tech support representative to approach users and clients of the target organization to obtain sensitive information.
• Technical support executives: Another target of social engineers is technical support executives. A social engineer may take the approach of contacting technical support executives to obtain sensitive information by pretending to be senior management, customers, vendors, or other figures.
• System administrators: A system administrator in an organization is responsible for maintaining the systems. Thus, they may have critical information, such as the type and version of the OS and admin passwords. This information enables an attacker to make a more planned and organized attack.
• Vendors of the target organization: Attackers may target the organization's vendors to obtain essential information that will aid in the execution of attacks.

To succeed, attackers take a special interest in developing social engineering skills and can be so proficient that victims might not even notice the fraud. Attackers are always looking for new ways to access information. They also ensure they know the organization's frontline contacts, such as security guards, receptionists, and helpdesk workers, to exploit people's vulnerabilities. People have conditioned themselves to not be overly suspicious, and they associate specific behaviors and appearances with known entities.

People are naturally cautious with strangers and identify certain behaviors and appearances. A man in a uniform carrying a stack of parcels for delivery could be mistaken for a delivery person. By tricking and using human vulnerabilities, attackers can get confidential information, authorization, and access data from people via social engineering tactics.

The effects of a social engineering attack on a company

Social engineering is a serious issue and can result in significant losses for a business.

The following are some of the effects of a social engineering attack on an organization:

• Economic losses: Competitors may employ social engineering tactics to obtain sensitive information and data from the target organization, such as development plans or marketing strategies, which could result in financial loss or strategic advantage.
• Detriment to goodwill: A company's perception of goodwill is critical for acquiring customers. By disclosing important organizational data, social engineering attempts may jeopardize such goodwill.
• Loss of privacy: Loss of privacy is a serious problem, particularly for large organizations. If an organization cannot maintain the privacy of its stakeholders or customers, people may lose trust in the company. As a result, people may stop doing business with them and they may suffer damage and losses.
• Terrorism: Terrorism and antisocial elements represent a threat to an organization's assets, including people and property. Terrorists may employ social engineering to create blueprints of their targets to infiltrate them.
• Arbitration and lawsuits: Lawsuits and arbitration generate negative publicity for a company and have a negative impact on its performance.
• Closure – either temporary or permanent: Social engineering attacks can lead to lawsuits and arbitration and can result in the temporary or permanent closure of a company and its operations.

Now that we have covered the basics of social engineering and how it impacts an organization, let's look at the types of approaches used to achieve this.

Attack-vulnerable behaviors

When we think about attack-vulnerable behaviors and what this means, we're talking about the natural, intrinsic feelings and responses of people. These can be exploited by an attacker using the following:

• Authority: The right to exercise power in an organization is referred to as authority. Attackers take advantage of this by posing as someone of authority in a target organization, such as a technician or an executive, to steal sensitive information.
• Intimidation: The use of bullying tactics to intimidate a victim into taking multiple actions is referred to as intimidation. It's frequently carried out by impersonating someone else and duping victims into divulging crucial information.
• Social proof versus consensus: People are frequently willing to like or do things other people enjoy or do, which is known as consensus.

Attackers take advantage of this by building websites and posting fictitious customer testimonials regarding the benefits of certain items, such as anti-malware software (rogueware). As a result, when users search the internet for rogueware, they come across these websites and believe the fake testimonials. Furthermore, attackers may install malware alongside the malicious goods if people download it.

• Scarcity: Scarcity is frequently associated with social engineering. In a decision-making process, scarcity frequently entails instilling a sense of urgency. Because of the urgency, attackers might manipulate the decision-making process by controlling the information supplied to victims.

For example, if Apple announces a new product that quickly sells out, attackers can take advantage of the situation by sending phishing emails to the target customers, enticing them to buy the goods by clicking on a link supplied in the email. The users will be forwarded to a malicious website controlled by the attacker if they click on this link. As a result, the user may wind up disclosing account information or downloading harmful software, such as trojans.

• Urgency: Urgency is about acting right away. Attackers can take advantage of this by duping victims into doing something they don't want to do.

Ransomware, for example, frequently employs the urgency principle, which forces the victim to take immediate action within a set timeframe. The victims notice a countdown meter running on their infected systems and realize that failing to make the required decision within the allotted time may result in the loss of critical data.

Similarly, attackers can send phishing emails claiming that a specific product is on sale and that the consumer should click the Buy Now link to purchase it. A user is duped, and they've clicked on the link to act right away. As a result, they are routed to a malicious website, where users are forced to give personal information or download a virus file.

• Familiarity or favoritism: People are more inclined to buy things if they are advertised by a celebrity they respect. Familiarity or favoritism means people are more likely to be convinced to do something when they are asked by someone they like.

People are more willing to allow someone to glance over their shoulder if they like or are familiar with them. If the person is disliked, the shoulder surfing attack is easily recognized and avoided. Similarly, if they like or are friendly with someone, they will typically allow them to tailgate them. In some circumstances, social engineers trick someone with charm and pleasant conversation to get a person to like them.

• Trust: Attackers frequently try to establish a trusting relationship with their targets. An attacker could, for example, call a victim and introduce themselves as a security expert. They may claim they work with XYZ firm and have spotted certain irregularities, such as the victim's machine sending out strange errors. The attacker establishes confidence by making use of the name of the company and their experience in the field of security. Once trust is established, the attacker instructs the victim with steps on how to proceed. The attacker then sends a malicious file in an email and urges the victim to open and download it. The attacker successfully installs malware on the victim's PC, infecting it and allowing the attacker to steal crucial information.
• Greed: Some people are naturally possessive and want to amass enormous sums of money through illicit means. By promising something for nothing (appealing to their greed), social engineers entice their targets to give information.

An attacker may, for example, pose as a competitor and offer a substantial reward, to persuade the target staff to provide important information.

Next, let's discuss some of the factors that leave a business or organization open to being attacked.

Factors that predispose businesses to attacks

Companies are vulnerable to social engineering attacks due to a variety of circumstances, including the following:

• Inadequate security education: Employees may be unaware of the social engineering techniques employed by attackers to persuade them to provide sensitive information about the company. As a result, any organization's minimal responsibility is to educate its personnel about social engineering tactics and the hazards they pose to prevent social engineering attacks.
• Inadequate security policies: The foundation of security infrastructure is a security policy. It's a high-level document explaining security controls. Every potential security danger or weakness should be addressed with extreme caution. Password change policies, information sharing policies, access privileges, unique user identification, and centralized security are all desirable security measures to implement.
• Unrestricted information access: One of a company's most valuable assets is its database. Providing everyone access to such sensitive data or allowing limitless access to such sensitive data could lead to problems. As a result, businesses must guarantee that individuals who have access to sensitive data are properly trained and monitored.
• Multiple locations: Some companies' units are spread across the country, making it difficult to oversee the system. Furthermore, a configuration like this makes it easier for an attacker to gain access to the organization's sensitive data.

Next, we're going to discuss what makes social engineering work and be successful.

What makes social engineering work?

Social engineering, like other techniques, does not deal with network security; rather, it deals with psychological manipulation and exploitation of a human being to obtain desired information.

The following are some reasons social engineering is effective:

• Despite many security protocols, stopping social engineering is difficult since humans are fallible.
• There is no method guaranteeing total security against social engineering attacks.
• Detecting social engineering initiatives is difficult. The art and science of persuading others to reveal information is known as social engineering.
• This strategy is low-cost (or even free) and simple to apply.
• There is no unique hardware or software that can protect against social engineering attacks.

Next, we'll talk about the attack phases in which social engineering may occur.

Social engineering's attack phases

To carry out a successful social engineering attack, attackers perform the following steps:

1. Target company research

An attacker acquires enough information to infiltrate the target organization's network before attacking it. One strategy that aids in knowledge extraction is social engineering. The attacker begins by gathering basic information about the target company, such as the nature of the business, its location, and the number of employees. The attacker engages in activities such as dumpster diving, browsing a company's website, and discovering employee information.

2. Choose a target

The attacker selects a target for extracting sensitive information about the company after completing their research. Attackers frequently attempt to contact dissatisfied employees because they are often willing to share information about the target company and are easier to manipulate.

3. Establish a relationship

Once the target has been identified, the attacker establishes a working relationship with that individual to complete their objective.

4. Take advantage of the relationship

The attacker takes advantage of the relationship to obtain sensitive information about the company's accounts, finances, technologies in use, and future strategic plans.

An attacker may use several methods to carry out an attack. Let's talk about some of them next.

Social engineering methods

Attackers use a variety of social engineering methods to collect sensitive information from individuals or organizations that could be used to perpetrate fraud or other criminal acts.

This section will cover people-based, computer-based, and mobile-based social engineering approaches, all with examples to help you understand them better.

People-based social engineering

Human contact is a part of people-based social engineering. Pretending to be a real person, the attacker interacts with a target organization employee to obtain sensitive information, such as corporate strategies and networks, that will aid them in launching their attack. The attacker can simply access the server room by impersonating an IT support technician, for example.

An attacker can use the following methods to execute human-based social engineering.

Impersonation

Impersonation is a frequent people-based social engineering method in which the attacker poses as a legitimate or authorized individual. Attackers may carry out personal impersonation attacks or use a phone or another communication medium to deceive victims into divulging information.

The attacker could pose as a courier or delivery person, a janitor, a salesman, a customer, a technician, or a guest. By scanning terminals for passwords, searching for critical documents on employees' desks, rummaging through dumpsters, and other methods, the attacker acquires sensitive information. The attacker may even try to shoulder surf for sensitive information by listening in on private chats.

Impersonation techniques used in social engineering include the following:

• Pretending to be a genuine end user
• Acting as if you're important
• Assuming the role of a technical support agent
• Assuming the identity of an internal employee, a client, or a vendor
• Pretending to be a repairman
• Using vishing to impersonate a tech support agent
• Abusing the help desk's over-assistance
• Pretending to be someone with third-party permission
• Assuming the role of a respected authority

The human nature of trust, fear, and moral obligation are exploited by some impersonation methods used by attackers to gain sensitive information about the target company.

Pretending to be a genuine end user

An attacker may impersonate an employee and then use unethical means to acquire access to sensitive information. To gain sensitive information, they may use a bogus identity.

Another example is when an employee's friend requests they retrieve information that a bedridden employee reportedly requires. A well-known social interaction concept is that a favor begets a favor, even if the original favor is given without the recipient's request. This is referred to as reciprocation. Reciprocity is a common occurrence in business settings. One approach for social engineers to make use of this social trait is through impersonation.

Consider this case: "Hi! I'm Paul, and I work in the finance department. I've forgotten my password. Is it possible to get it?"

Acting as if you're important

Another behavioral trait favoring a social engineer is a person's tendency to not question authority. People regularly go out of their way to help people they believe are in positions of power. Impersonating a high-ranking figure, such as a vice president or director, might easily deceive an unprepared employee.

Attackers who take impersonation to the next level by impersonating a high-ranking employee add a layer of fear. In this case, where lower-level personnel may go out of their way to assist a higher authority, the reciprocation factor comes into play. For example, a help-desk staffer is less likely to refuse a request from a vice president who is pushed for time and requires critical information for a meeting.

If an employee refuses to reveal information, social engineers may use their position of power to intimidate them, including threatening to report their misconduct to their superiors. This strategy is now more important than ever.

Consider the following scenario: "Hello there! I'm Kevin, the secretary to the CFO. I'm working on a deadline and have forgotten my system password. Are you able to assist me?"

Assuming the role of a technical support agent

Another strategy involves an attacker impersonating a technical assistance agent, which is particularly effective when the target lacks technical knowledge. The attacker could pose as a hardware seller, a technician, or a computer vendor. During one demonstration at a hacking group, a speaker called Starbucks and asked whether their broadband connection was working properly. The confused staffer said that the problem was with the modem. Without providing any credentials, the hacker proceeded to have him read out the credit card number from the previous transaction. In a business setting, the attacker may require employees to provide their login information, including passwords, to fix a problem that does not exist.

Consider the following scenario: "Sir, this is Mathew from X Company's technical assistance department. We suffered a system crash here last night, and we're looking for missing data. Could you tell me your username and password?"

Assuming the identity of an internal employee, a client, or a vendor

An attacker usually wears office attire, or the same type of clothing others are wearing. They walk into a company's building while posing as a contractor, client, service technician, or another authorized individual. Then they go around unobserved looking for passwords trapped on terminals, extracting vital data from wastepaper bins and papers on desks, and gathering other data. Other social engineering techniques, such as shoulder surfing (observing users typing login credentials or other sensitive information) and eavesdropping (purposefully overhearing confidential conversations between employees) may be used by the attacker to gather sensitive information that could be used to launch an attack on the company.

Pretending to be a repairman

Generally, computer technicians, electricians, and telephone repairmen are trustworthy. Attackers could penetrate the organization by impersonating a technician or repair person. They'd go about their business as usual while searching for concealed passwords, crucial information on desks, information in garbage bins, and other relevant information; they may even place snooping equipment in secret spots. I've personally used this technique to walk out of an organization with full computer systems in hand.

Using vishing to impersonate a tech support agent

Vishing (also known as voice or VoIP phishing) is a type of impersonation scam in which the attacker employs Voice over IP (VoiP) technology to mislead people into disclosing sensitive financial and personal information. The attacker makes money off the information by impersonating someone and using caller ID spoofing. Vishing frequently includes prerecorded communications and instructions that appear to be from a real financial institution. The attacker uses vishing to deceive the victim into submitting bank account or credit card information over the phone for identity verification.

The attacker may send the victim a phony SMS or email message instructing them to call the financial institution for credit card or bank account verification; in some situations, the victim gets a phone call from the attacker. When the victim dials the phone number mentioned in the message of the attacker, they hear a recorded instruction requiring personal and financial data, such as name, date of birth, Social Security Number (SSN), bank account number, credit card information, or credentials such as usernames and passwords. The recorded message confirms that the victim's account has been verified when the victim submits the information.

Abusing the help desk's over-assistance

There's a reason why help desks are routinely targeted for social engineering attempts. Staff workers are trained to be helpful, and they frequently divulge critical information, such as passwords and network details, without first validating the caller's identity.

To be effective, the attacker must know the identities of employees as well as information about the person they are attempting to impersonate. Pretending to be a senior official, the attacker may call a company's help desk to extract important information.

For instance, a person might contact a company's customer service department and claim they can't remember their password. Their supervisor may fire them if they miss a deadline on a major advertising project.

The help desk employee pities the caller and promptly resets their password, unintentionally allowing the attacker access to the company network.

Pretending to be someone with third-party permission

Another common tactic employed by attackers is to pose as a person authorized by a senior-level leader in the organization to gather information on their behalf.

For example, if an attacker knows the identity of an employee at the target organization who is permitted to access the required information, they keep a close eye on them to gain access to the data they need in the absence of the employee in question. In this situation, the attacker can approach the help desk or other people and say the employee (authority figure) has asked for the information.

Even if there is doubt about the request's legitimacy, people tend to disregard it in favor of being helpful in the workplace. When someone mentions an important person and provides the necessary information, people tend to believe they are being truthful.

This method works well when the authority figure is on vacation or traveling and immediate verification is unavailable.

An example is as follows: "Hello, my name is John, and I chatted with Mr. XYZ last week before he left. He's on vacation and indicated you'd be able to provide me with the information while he's away. Could you please assist me?"

An attacker can employ vishing to impersonate a technical support staff member of the target organization's software vendor or contractor to obtain sensitive information, like the impersonation of a tech support agent described previously. The attacker may pose as a network technician and request the user ID and password for a computer to determine the issue. The user would submit the essential information, believing them to be a troubleshooter.

An example is as follows: (Attacker) "Hello, my name is Mike, and I'm with tech support. The system and networks have been running slower than usual at your office, according to certain employees. Is this correct?"

"Yes, it's been a little slow recently," says the employee.

(Attacker) "So, we've transferred you to a new server, and your service should now be significantly better. I can check your service if you provide me with your password. From now on, everything should be improved."

Assuming the role of a respected authority

Posing as a trustworthy authority figure is the most effective way of social engineering.

To collect sensitive information from the target, an attacker may pose as a fire marshal, superintendent, auditor, director, or another key individual over the phone or in person.

Some examples are as follows:

• "I'm James, and I want to introduce myself. I'm with Jones Auditing, an external auditor. The company has asked us to conduct a surprise examination of your disaster recovery methods. Your team has 10 minutes to demonstrate how you would recover from a website crash."
• "Hello, my name is Ann, and I'm a sales representative from the Virginia office. I realize this is a last-minute request, but I have a group of prospective clients coming in and I've been attempting to persuade them to outsource their security training needs to us for months. They're only a few miles away, and I believe giving them a quick tour of our facilities will be enough to convince them to sign with us.

Yes, they're very interested in the security measures we've implemented. One of the reasons they're contemplating our firm is because their website was hacked a while back."

• "Hi, I'm with Mountain AC/Heating Services. We got a call that the 4th floor is getting too hot, therefore I'll have to look into your HVAC system."

Using phrases with a professional ring to them, such as HVAC (Heating, Ventilation, and Air Conditioning), may provide an intruder with just enough credibility to give them entry to the target secure resource.

Eavesdropping

Eavesdropping is when someone listens in on a discussion or reads other people's messages without their permission. It includes intercepting any type of communication, whether audio, video, or written, across channels such as phone lines, email, and instant messaging. Passwords, business plans, phone numbers, and addresses are among the sensitive data that can be obtained by an attacker.

Dumpster diving 

Dumpster diving is rummaging through trash bins for sensitive personal or organizational information. Attackers look for user IDs, passwords, network diagrams, policy numbers, and other confidential information that can be extracted.

Attackers can find account numbers, calendars, bank statements, payroll information, source code, sales projections, access codes, phone lists, credit card numbers, and organizational charts. As a result, attackers could exploit this information to carry out a variety of malicious attacks. Ploys, such as impersonating a repair person, technician, cleaner, or other professional, are sometimes used by attackers to promote their dumpster diving efforts.

The following is information that can potentially be collected by going through garbage:

• Phone lists: A list of employees' names and phone numbers.
• Organizational charts: Describe the company's organization, physical infrastructure, server rooms, restricted areas and locations, and other information about the company.
• Manuals on policy: Make information about employees, system usage, and operations public.
• Printouts, notes, faxes, and memos sent by email: Reveal employees' personal information, passwords, contacts, internal working procedures, beneficial instructions, and other information.
• Notes on events, calendars, and computer usage logs: Information about users' log on and off times is revealed, allowing the attacker to choose the optimal time to launch their attack.

Reverse social engineering

Reverse social engineering is a challenging task because its execution necessitates a great deal of planning and skill. A perpetrator engages in reverse social engineering and plays the position of a knowledgeable professional so employees will seek information from them.

The social engineer will first create a problem by causing an incident, and then will portray themselves as the solution through general chat, enticing employees to make inquiries.

Here are some methods of reverse social engineering:

• Sabotage: After gaining access, the attacker will corrupt or make the workstation appear corrupted. Users seek assistance when they encounter a problem.
• Marketing: The attacker must promote and create awareness for a user to call them. The attacker can do this by leaving a business card or resource in the target's office with their contact information to solve the problem.
• Support: Even if the attacker has already obtained the desired information, they may continue assisting users to keep the victims unaware of the hacker's identity.

Piggybacking

Piggybacking usually entails entering a building or a secure area with the permission of an authorized individual. An attacker might, for example, request that an authorized individual unlock a security door, claiming that they have misplaced their ID badge. The authorized person will allow the attacker to pass through the door as a matter of courtesy.

Tailgating

Tailgating is when someone enters a building or a secured location without permission. It is the act of discretely following an authorized person through a protected entryway.

An attacker using a badge can try to gain access to a restricted area by closely following an authorized person through a keyed or locked access or entry door. They attempt to enter the restricted area while posing as an authorized individual.

This is another one of my personal favorites. One time I piggybacked into a building that may or may not have been a federal location, but that's a story for another time.

Theft by diversion

An attacker could use diversion theft to target delivery workers or transportation companies. The main goal of this strategy is to deceive a person in charge of making a delivery into sending the package to the incorrect location, causing the transaction to be disrupted. For instance, if the victim is a package delivery driver, they may be convinced to drive to a location different than the delivery site. The theft is made possible by subjecting the van driver to a series of social engineering techniques.

On the internet, social engineers can use diversion theft to persuade victims to transmit sensitive or confidential files to an unrelated individual who is not supposed to get them.

Honey trap

The honey trap is a tactic in which an attacker poses as an attractive person online and establishes a phony online relationship to collect confidential information. In this case, the victim is an insider who has access to sensitive information about the target company.

Baiting

Baiting is a strategy in which attackers entice end users to provide sensitive information, such as login credentials and other personal information, in exchange for valuable information. The end user's curiosity and greed are exploited. Attackers use this strategy by leaving a physical device holding malicious files, such as a USB flash drive, in places where people can easily find it, such as parking lots, elevators, and bathrooms. End users are duped into trusting and opening this physical device since it is tagged with a reputable company's logo. When the victim connects to the device and opens it, a malicious file is downloaded. It infects the system and allows the attacker to seize control.

An attacker might, for example, leave some bait in an elevator in the form of a USB drive labeled Employee Salary Information 2019 and a valid company's logo. The victim picks up the device out of curiosity and opens it on their computer, where the bait is downloaded. When the bait is downloaded, malicious software is installed on the victim's computer, granting the attacker access.

Quid pro quo

The Latin term quid pro quo means something for something. Attackers use this approach to phone random numbers within a corporation, claiming to be from technical support. This is a baiting tactic in which attackers offer their services in return for personal information or login credentials from end users.

An attacker might, for example, collect random phone numbers from a target organization's personnel. They then begin dialing each number while impersonating the IT department.

The attacker ultimately locates someone who is experiencing a genuine technical problem and offers their assistance in resolving it. The attacker can then instruct the victim to follow specific steps and enter in certain commands to install and run malicious files containing malware designed to access sensitive data.

Elicitation

The practice of eliciting specific information is known as elicitation.

By engaging a victim in an ordinary conversation, you can get specific information from them. To take advantage of professional or social opportunities to communicate with people who have access to sensitive information, attackers must have good social skills. The goal of elicitation in social engineering is to extract useful information to acquire access to the target assets.

If an attacker's goal is to get the victim's login and password, but all they get out of the chat is stuff they enjoy, the attacker will have to focus more on the elicitation process to get the necessary information.

Let's talk about computer-based social engineering next and what it's about.

Computer-based social engineering

Attackers utilize harmful software, such as viruses, trojans, and spyware, as well as software applications, such as email and instant messaging, to undertake computer-based social engineering.

The following are some examples of computer-based social engineering attacks.

Pop-up windows

Popups persuade or force users to click a link that leads to a phony web page that requests personal information or downloads dangerous software, such as keyloggers, trojans, or spyware.

One way to get a user to click a button in a pop-up window is to warn them about a problem (for example, by showing a realistic OS or application error message) or to offer them more services. A window shows on the screen, urging the user to re-login or showing a warning of a host connection interruption and the necessity to re-authenticate the network connection. When a user follows these instructions, a malicious program is installed, which takes sensitive information from the target and sends it to the attacker's email address or a remote site. Trojans and viruses are used in this form of attack.

Hoax letters

A hoax is a message that warns recipients of a computer virus threat that does not exist. To expand its reach, it uses social engineering. Hoaxes usually do not result in physical harm or data loss, but they do result in a loss of productivity and the usage of an organization's precious network resources.

Chain letters

A chain letter is an email offering free goods, such as money or software, in exchange for the user forwarding the email to a certain number of people. Emotionally compelling stories, get-rich-quick pyramid scams, spiritual beliefs, and superstitious threats of bad luck are all common techniques utilized in chain letters. Chain letters depend on social engineering to be passed along.

Instant messaging

An attacker uses instant chat features to communicate with selected online users to obtain personal information, such as their date of birth or maiden name. They then use the information they've gathered to break into users' accounts.

Spam email

Spam consists of irrelevant, undesired, and unsolicited emails that are sent with the intent of collecting information that can be used for financial gain, such as SSNs and network information. Spam communications are sent to the target to obtain sensitive information, such as bank account numbers. Email attachments containing hidden and dangerous programs, such as viruses and trojans, may also be sent by attackers. By giving the attachment a large filename, social engineers try to hide the file extension.

Scareware

Scareware is a sort of malware that entices people to visit malware-infested websites or download or purchase potentially harmful software. Scareware is frequently encountered in popups informing users that their computer has been compromised with malware. These popups look to be from a reputable source, such as an antivirus business. Furthermore, these pop-up advertisements always convey a sense of urgency, instructing a victim to download the program as soon as possible to be free of the alleged infection.

Phishing

Phishing is a method of obtaining a user's personal or account information by sending an email or providing a link that falsely claims to be from a reputable site. The attacker registers a phony domain name, creates a spoof website, and then sends the URL to users via email. When a user clicks on the email link, they are taken to a bogus home page where they are enticed to share personal information, such as their address and credit card number.

Users' lack of awareness, being visually fooled, and failing to pay attention to security signs are all factors that contribute to the success of phishing schemes.

The following are the types of phishing methods used.

Spear phishing

Instead of sending out thousands of emails, some attackers utilize spear phishing to acquire sensitive data, such as financial information and trade secrets, by sending customized social engineering content to a single employee or a small group of employees in a business.

Phishing emails appear to come from a reputable source with a legitimate-looking website. The email also looks to be from someone in the recipient's workplace, usually someone in a senior position. The communication was sent by an attacker aiming to gather sensitive information about the receiver and their company; login credentials, credit card numbers, bank account numbers, passwords, confidential documents, financial information, and trade secrets are all examples of sensitive information. Because it looks to be from a trusted company source, spear phishing delivers a higher response rate than a standard phishing attempt.

Whaling

A whaling attack is a type of phishing attack that targets high-profile executives, such as CEOs, CFOs, politicians, and celebrities, who have complete access to highly confidential and valuable information. It's a social engineering trick in which the attacker convinces the victim to reveal critical corporate and personal information (such as bank account details, employee details, customer information, and credit card numbers). Whaling is different than phishing in that whaling is meticulously prepared, and it's focused on someone in executive leadership.

Pharming

Pharming is a social engineering technique in which an attacker installs malicious software on a victim's computer or server, which automatically redirects the victim's traffic to an attacker-controlled website when the victim types in any URL or domain name. The attacker steals personal information, such as passwords, banking information, and other data related to web-based services.

There are two ways to carry out a pharming attack:

• DNS cache poisoning:
  1. The attacker performs DNS cache poisoning on the targeted DNS server.
  2. The attacker modifies the IP address of the target website, www.targetwebsite.com, to a fake website www.hackerwebsite.com.
  3. When the victim types the target website's URL into the address bar of their browser, a request is sent to the DNS server to acquire the target website's IP address.
  4. The DNS server provides a forged IP address that has already been altered by the attacker.
  5. The victim is then forwarded to the faked website.
• Host file modification:
  1. Malicious code is sent as an email attachment by an attacker.
  2. The code executes and alters local host files on the user's machine when the user clicks on the attachment.
  3. When the victim types the URL of the target website into the address bar of their browser, the hacked host file instantly redirects the user's traffic to the hacker's bogus website.

Malware such as trojan horses and worms can also be used in pharming attacks.

Spimming

Spam over Instant Messaging (SPIM) takes advantage of instant messaging networks to disseminate spam. A spimmer is a spammer who sends spam via instant messenger. Spimmers typically acquire instant message IDs and send spam messages to them using bots (an application that performs automated activities via the network).

SPIM messages, like email spam, frequently include attachments or embedded hyperlinks that contain ads and viruses. When the user opens the attachment, they are routed to a malicious website that collects financial and personal information, such as login passwords, bank account information, and credit card information.

Tools for phishing

Attackers can employ phishing tools to create bogus login pages to steal usernames and passwords, send faked emails, and collect the victim's IP address and session cookies. The attacker can then use this information to impersonate a legitimate user and launch other attacks against the target organization:

• ShellPhish (https://github.com/shellphish)
• PhishX (https://github.com/Userphish/PhishX)
• BLACKEYE (https://github.com/An0nUD4Y/blackeye)
• evilginx (https://github.com/kgretzky/evilginx)
• Trape (https://github.com/jofpin/trape)
• Modlishka (https://github.com/drk1wi/Modlishka)

Let's discuss another aspect of social engineering, mobile-based.

Mobile-based social engineering

Mobile applications are used by attackers to conduct mobile-based social engineering.

Attackers deceive users by copying popular apps and creating harmful mobile apps with appealing features, which they then upload to the major app stores under the same name. Users download the dangerous program unwittingly, allowing the malware to infect their smartphone.

The following are some of the methods used by attackers to undertake mobile-based social engineering.

Creating and distributing malicious apps

In mobile-based social engineering, the attacker uses malicious mobile apps to carry out a social engineering attack. The attacker first produces the malicious program—for example, a game app—and then publishes it on major app stores under well-known brands. Unaware of the malicious program, a user will install it on their phone, assuming it to be legitimate. The device is infected with malware once the software is installed, which sends the user's credentials (usernames, passwords), contact information, and other information to the attacker.

Security applications that are repackaged

To accomplish mobile-based social engineering, attackers may send a false security application. In this attack, the attacker sends something bad to the victim's computer to infect it.

Next, they upload a malicious app to an app store. When the victim logs into their bank account, malware in the system displays a pop-up message instructing them to download an app to their phone to receive security messages. The victim believes they are getting a legitimate app when they download it from the attacker's app store. The attacker collects confidential information, such as the user's bank account login details (username and password), after which the bank sends the victim a second authentication by SMS. The attacker uses this information to gain access to the victim's bank account.

SMiShing

In SMS Phishing (SMiShing), the SMS text messaging system is used to lure users into taking instant action, such as downloading malware, visiting a malicious web page, or calling a fraudulent phone number. SMiShing messages are crafted to provoke instant action.

Consider Tracy, a software developer at a reputable firm. She receives an SMS supposedly from her bank's security department. It's an urgent request for Tracy to call the phone number mentioned in the SMS right away. Being concerned, she calls to check on her account, assuming the phone number to be a legitimate bank's customer service. Her credit or debit card number and password are requested in a recorded message. Since Tracy considers it to be a legitimate message, she shares her personal information.

A message may say the user has won money or been chosen at random as a lucky winner, and all they must do is pay a small price and disclose their email address, phone number, or other personal information.

Another important aspect of social engineering is threats that come from within an organization or business. Let's talk more about that next.

Threats from within

An insider is a trusted employee who has access to an organization's most valuable assets. An insider attack entails the use of privileged access to intentionally harm an organization's data or information systems. Insiders can easily circumvent security measures, tamper with valuable resources, and get access to sensitive data. Insider attacks could cost the organization a lot of money. They're also harmful because they're simple to launch and hard to detect.

Insider attacks are generally performed by the following:

• Privileged users: Insider attacks are typically carried out by the company's most trusted personnel, such as managers and system administrators, who have access to the company's proprietary data and are more likely to misuse it, either purposefully or unintentionally.
• Employees who are disgruntled: Attacks may originate from disgruntled employees or contract workers. Disgruntled employees who want to exact vengeance on the company gather information first and then wait for the ideal opportunity to compromise the company's resources.
• Employees who have been terminated: When an employee is terminated, they may take vital information about the company with them. After being fired, they access the company's data through backdoors, malware, or their previous credentials if they have not been disabled.
• Employees who are prone to accidents: This could be if an employee loses their mobile device by accident, sends an email to the wrong recipients, or leaves a system signed in with confidential data. Unintentional data disclosure can occur if you're not careful.
• Third parties: Remote employees, partners, dealers, and vendors are examples of third parties who often have access to information held by the company. However, their systems' security is a concern and could be a potential source of data leaks.
• Undertrained employees: Due to a lack of cybersecurity training, a trusted employee becomes an accidental insider. They don't follow security rules, procedures, guidelines, or best practices.

Reasons for insider attacks

Credit card firms, healthcare companies, network service providers, and financial and exchange service providers are all targets for insider attacks.

The following are a few reasons for these attacks:

• Monetary gain: Insider attacks are motivated by a desire for financial gain. The insider sells valuable company information to a competitor, steals a colleague's financial information for personal gain, or tampers with the company's or its employees' financial records.
• Theft of confidential information: By discovering a job opportunity, preparing someone to get through the interview, and having that person employed by the competition, a competitor might do damage to the target firm, steal crucial information, or even put them out of business.
• Revenge: It only takes one angry employee to seek vengeance for the company to be jeopardized. Attacks could come from disgruntled employees or contractors who have negative feelings about the organization.
• Become a competitor in the future: Current employees may intend to start their own rival firm, and by accessing the system with the company's confidential data, they may steal or alter the customer list.
• Competitors bidding: This is a feature that allows you to see what your competitors are doing. Even the most honest and trustworthy employees can be blackmailed or bribed into divulging the company's crucial information due to corporate espionage.
• Public awareness: An unhappy employee may desire to make a political or social statement, and in doing so, the company's confidential data is leaked or damaged.

Different kinds of insider threats

Insider threats can be divided into four categories:

• Spiteful insider: Insider threats might be perpetrated by angry or terminated employees that purposefully steal data or destroy company networks by inserting malware into the corporate network.
• Careless insider: Careless insiders are more prone to social engineering assaults since they are unaware of potential security concerns or just violate common security rules to satisfy workplace efficiency. Many insider attacks are the result of employees' disregard for security policies, procedures, and practices.
• Expert insider: Insiders who work in IT for a living are the most dangerous. They exploit their technical expertise to find flaws and vulnerabilities in the company's network and sell the company's proprietary information to competitors or black-market bidders.
• Compromised insider: This is an insider who has been compromised by an outsider. They have access to a company's essential assets or computing devices. This type of threat is more difficult to detect since the outsider poses as a genuine insider.

Why are insider attacks so successful?

Here are some reasons an insider attack is so effective:

• Insider attacks can go undiscovered for years and resolving them is costly.
• Insider assaults are simple to carry out.
• Insider attacks are difficult to prevent and can easily succeed.
• It's tough to tell the difference between damaging behavior and an employee's usual duties. It's difficult to tell whether an employee is acting maliciously.
• Even if harmful conduct has been uncovered, the employee may refuse to accept responsibility, claiming it was an error.
• Employees might easily cover their tracks by altering or deleting logs to conceal harmful behavior.

Let's understand this with the help of an example.

The Dissatisfied Employee

This individual tends to be introverted, cannot manage stress, is in conflict with management, is frustrated with their job or office politics, wants respect or a promotion, or may have been transferred or demoted or issued an employment termination notice. Employees who are dissatisfied with their jobs may sell company secrets and intellectual property to competitors for monetary gain, causing the company to suffer.

Disgruntled employees can use steganography applications to hide company secrets and then send the information to competitors via a work email account as an innocuous-looking communication, such as a photograph, image, or sound file. Because the attacker hides the stolen important information in a picture or image file, no one suspects them.

Insider threat behavioral signs

Insider threat behavioral indicators are things that are typically unusual for the individual and often contrast with their standard behavior and work activity. These atypical patterns need to be investigated further to determine whether they are malicious motives. A lack of employee awareness about security procedures is the most typical indicator of insider threat.

Insider dangers can be identified in a variety of behaviors:

• Data breach warnings: Alerts of unauthorized data gathering and transmission on the network could indicate a malware or insider attack. Insiders can also use paper, fax machines, hard drives, and portable or other computing devices.
• Network logs that are missing or have been changed: To escape detection, insiders attempt to get access to log files to delete, modify, and edit unauthorized access events, file transfer logs, and other information from systems and network devices. Attacks can be detected by log alteration, deletion, or access alerts.
• Patterns of network usage: Malicious activity can be detected by changes in the network patterns of network-specific protocols, packet sizes, sources and destinations, frequency of user application sessions, and bandwidth utilization.
• Multiple failed login attempts: By brute-forcing illegal systems or apps, an insider can get access. As a result, many failed efforts could signal an insider threat.
• Temporal and behavioral changes: Look for employee behavior changes over time, such as spending capacity, frequent travel, anger management concerns, regular quarrels with coworkers, and laziness. Some fraud indications might also be found when completing tasks.
• Access at an unusual time and location: Any inconsistency in an event's timeframe is suspicious and could suggest an insider danger, for instance, if activity is logged on employee systems while they are not present.
• Critical data that is missing or has been changed: Disgruntled employees can alter or delete important information to harm the company's reputation.
• Downloading or copying sensitive data without authorization: Insiders extract data from the perimeter of the organization using both authorized and malicious tools. Insiders can steal information via installing malware, trojans, and backdoors.
• Different systems being logged by multiple user accounts: Malicious activity may be indicated by unusual access times along with a change in the IP address of the system used to connect into the account.
• Changes in revenue or expenditure over time: Unexpected and inexplicable changes in an employee's financial situation indicate income derived from other sources. The company should conduct a financial audit to see whether the employee has been involved in any illegal actions.
• Unauthorized physical asset access: Employees accessing approved assets without verification, attempting to escalate their rights beyond their job requirements, or attempting to get physical access to assets are all examples of potential threats.
• Employee productivity increases or decreases: Employees that are unproductive, intimidating, or who have a sudden spike or reduction in their productivity can indicate questionable behavior if they disagree with intellectual property rights.
• Working hours that are inconsistent, unusual business activities, and frequent or secret foreign trips: Employees who engage in suspicious business activities, such as odd login times, odd office hours, unauthorized browsing and downloads, secret visits overseas, and meetings with representatives from other countries or organizations may pose a threat to the company.
• Excessive behavior as a result of a potential mental health problem: Some employees displaying unpredictable and excessive behavior, or a rapid change in behavior, could indicate a potential mental health problem. This increases the likelihood of them committing financial fraud, data theft, or physical theft.
• Indications of vulnerability (drug or alcohol abuse, financial difficulties, gambling, and illegal activities): Employees who may be involved in drugs, gambling, alcohol abuse, or having relationship problems, may risk compromising the company's data for monetary gain. Organizations may need to keep a close eye on the activities of the employee on a frequent basis.
• Complaints about a data breach of sensitive information: Insider attacks might be identified by information or complaints about sensitive data exposures. Examine customer reviews and complaints for abnormalities, then analyze them to find the insider.
• Abnormal system and user account access: An insider threat could be indicated by a discrepancy between the systems assigned and the user accounts utilized to access the systems.
• Use of social media in an irresponsible manner: Insiders may try to harm the company by sharing irrelevant material on social media networks.
• Attempt to enter restricted zones: Employees with harmful intent may attempt to get access to restricted parts of the company to obtain sensitive data.
• Social networking site impersonation: Many people today use social networking sites to create online accounts, share information, and share materials such as photos, blog entries, and music clips. As a result, impersonating someone is relatively easy for an attacker. The victim is likely to trust the attacker and eventually divulge information that will assist the attacker in impersonating them and gaining access to the system.

Let's elaborate a bit more on the last point that we have discussed.

Impersonation on social networking sites

Because social networking sites, such as Facebook, Twitter, and LinkedIn, are so popular, attackers utilize them to impersonate people. An assailant can attack in two ways:

• By creating a false victim profile on a social networking platform
• By obtaining the victim's password or acquiring access to the victim's social media accounts in any other way

Because people post personal and professional information on social networking sites, such as name, address, cell phone number, date of birth, project details, job designation, company name, and location, attackers have a gold mine of information to work with. The more information people reveal on social networking sites, the more probable an attacker will be able to impersonate them and conduct attacks against them, their associates, or their company. They may also attempt to extract corporate data by joining the target organization's employee groups.

Organizational facts, professional details, contacts, connections, and personal details are among the types of information that attackers obtain through social networking sites, which they then use to carry out other types of social engineering assaults.

Facebook impersonation

Facebook is a popular social networking platform that brings people together. It's popular among friends who post comments and upload images, videos, and links. Attackers employ nicknames or aliases instead of real identities to spoof Facebook members. They create fictitious identities and try to add friends to access other people's profiles and obtain sensitive information.

Some methods taken by an attacker to persuade a victim to give sensitive information are as follows:

• Create a bogus Facebook user group called Employees of Company XYZ.
• Proceed to friend or invite actual employees to the bogus Employees of Company XYZ group using a fictitious identity.
• Users join the group and provide information, such as their date of birth, educational and professional backgrounds, or the names of their spouses.
• An attacker can compromise a secure facility by using the details of any one of the employees to obtain entry to the building.

Attackers can also make a false account and scan the information on various targets' profile pages on other social networking sites, such as LinkedIn and Twitter, to engage in spear phishing, impersonation, and identity theft.

Threats to corporate networks from social media

Private and corporate users should be aware of the following social and technical security threats before sharing data on a social networking site or expanding their channels, groups, or profiles:

• Data theft: Social networking sites are massive databases that are accessed by many people all over the world, increasing the danger of data exploitation.
• Unintentional data leaks: Employees may mistakenly share sensitive material about their firm on social networking sites in the absence of a robust policy that draws clear distinctions between personal and corporate information, which could aid an attacker in launching an attack on a target organization.
• Focused attacks: Attackers utilize information provided on social networking sites to perform targeted attacks on specific users or businesses.
• Vulnerability in the network: All social networking sites have weaknesses and problems, such as login issues and Java vulnerabilities, which attackers might take advantage of. As a result, confidential information relating to the target organization's network could be leaked.
• Phishing and spam: Employees who use work email IDs on social networking sites are likely to receive spam and become targets of phishing attacks, which could damage the company's network.
• Modification of content: Blogs, channels, groups, profiles, and other platforms can be faked or hacked in the absence of sufficient security measures and efforts to safeguard identity.

So, now that we understand some of the threats that we face, let's next talk about how attackers use the information they gather to steal someone's identity.

Identity theft

Many consumers today are victims of identity theft, so much so, that some state legislators in the United States have passed legislation prohibiting the use or disclosure of an person's SSN during the recruitment process. Identity theft is constantly mentioned in the news. Companies should be educated about identity theft so their own anti-fraud activities are not jeopardized.

Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.

The Identity Theft and Assumption Deterrence Act of 1998, enforced by the Federal Trade Commission, makes the theft of personal information with the intent to commit an unlawful act a federal crime in the United States with penalties of up to 25 years' imprisonment and a maximum fine of $250,000.

Identity thieves steal the following types of personally identifiable information:

• Names
• Home and work locations
• Driver's license number
• SSNs
• Credit reports
• Phone numbers
• Birth dates
• Passport number
• Credit card information

The attacker steals people's identities to commit fraud, such as the following:

• Opening new credit card accounts in the user's name and not paying the bills
• Opening a new phone or wireless account in the user's name or charged to the user's current account
• Obtaining utility services, such as power, heating, or cable TV, using the victim's information
• Opening bank accounts to write phony checks using the victim's personal information
• Making electronic withdrawals from the victim's accounts via an ATM or debit card
• Obtaining loans the victim is responsible for
• Obtaining a driver's license, passport, or other formal ID card containing the victim's information
• Using the victim's name and SSN to receive their government benefits
• Impersonating an employee of a target organization to physically access its facility
• Taking over the victim's insurance policies
• Selling the victim's personal information
• Ordering goods online using a drop-site
• Hijacking email accounts
• Obtaining health services
• Submitting fraudulent tax returns
• Committing other crimes with the intention of providing the victim's name to the authorities during arrest, instead of their own

Let's look at the various forms of identity theft.

Different kinds of identity theft

Identity theft is on the rise, and thieves are continually devising new methods and tactics to obtain various types of target data.

Some of the methods by which attackers steal targets' identities to allow them to commit fraud and other criminal activities are as follows:

• Child identity theft: A minor's identity is stolen. This is an advantage since it may go undiscovered for an extended period of time. Identity thieves will use a child's SSN, along with a different date of birth, to apply for credit accounts, loans, and utility services, as well as renting a place to live and applying for government benefits, after the child is born. The attacker steals people's identities to commit fraud, such as opening new credit card accounts in the user's name and not paying the bills.
• Criminal identity theft: One of the most common and damaging types of identity theft is credit card fraud. To avoid being charged with a crime, a criminal assumes another person's identity. When they are apprehended or arrested, they reveal their false identity. The greatest approach to avoid identity theft from criminals is to keep all personal information private, which includes using safe internet practices and being wary of shoulder surfers.
• Financial identity theft: When a thief steals a victim's bank account or credit card information and uses it illegally, this is known as identity theft. They can use their stolen identity to max out a credit card and take money from the account, or open a bank account and take out loans and apply for new credit cards. Viruses, phishing assaults, and data breaches are used to gain the information needed to hack into the victim's account and steal their personal information.
• Driver's license identity theft: This is the simplest sort of identity theft because it just requires a little sophistication. A person's driver's license can be lost or stolen at any time. When a stolen driver's license falls into the wrong hands, the offender can sell it or use it to conduct traffic offenses that the victim is unaware of and fails to pay fines for, resulting in their license being suspended or revoked.
• Identity theft insurance: Insurance fraud is a serious problem. It has a strong link to medical identity theft. It can make it more difficult to pay medical costs, raising insurance premiums, and even making it more difficult to obtain future medical coverage.
• Medical identity theft: This can be the most hazardous type of identity theft, in which the perpetrator obtains medical supplies and claims health insurance or healthcare services using the victim's name or information without the victim's consent or knowledge. Erroneous entries in the victim's medical records are common because of medical identity theft. As a result of the frequent erroneous entries in the victim's medical records, doctors may make misleading diagnoses and make life-threatening judgments.
• Taxpayer identity theft: This occurs when a criminal obtains the victim's SSN to file false tax returns and receive false tax refunds. It makes it harder for the victim to obtain their lawful tax refunds, resulting in a financial loss. Phishing emails are one of the most common methods used by criminals to obtain information from their victims. Adopting safe internet practices is one way to protect yourself from identity theft.
• Cloning and concealment of identity: This category of identity theft includes all types of identity theft in which criminals seek to impersonate someone else to conceal their identity. Illegal immigrants, people fleeing from creditors, or people who simply wish to be anonymous could be the culprits.
• False identity theft: This is one of the most advanced sorts of identity theft, in which the criminal gets information from multiple victims to build a new identity. To begin, they steal an SSN and use it in conjunction with a false name, date of birth, address, and other information to create a new identity. The offender opens new accounts, loans, credit cards, phones, and other goods and services using this new identity.
• Theft of social identity: This is another common type of identity theft in which the perpetrator steals the victim's SSN to obtain various benefits, such as selling it to an undocumented person, defrauding the government by opening a new bank account, taking out loans, or applying for and receiving a new passport.
• Theft of personal information from wallets, computers, laptops, cell phones, backup media, and other sources: Physical theft is a widespread occurrence. Attackers steal personal electronics from hotels, clubs, restaurants, parks, beaches, and other public venues. They can extract valuable data from these sources if given enough time.

Identity theft warning signs

People don't recognize they've been the victim of identity theft until they start having unanticipated and unauthorized problems. As a result, it is critical that people are aware of the warning signals that their identities have been compromised.

Some of the indications of identity theft are as follows:

• Charges on your credit card you are unfamiliar with.
• Credit card, bank, and utility statements are no longer sent.
• Creditors contact you about an unidentified account in your name.
• You have a long list of traffic tickets on your record that you did not commit.
• You are billed for medical care or services that you have never received.
• There are multiple tax returns filed in your name.
• You are unable to access your own account and take out loans or utilize other services since you have been prohibited access.
• Due to stolen mail, you are not receiving your energy, gas, water, or other utility bills.
• Changes in your personal medical records reveal a condition you don't have.
• Receiving news that your personal information has been hacked or misused because of a data breach at a company where you work or have an account.
• A cash withdrawal from your bank account that you don't recall.
• Calls from debit or credit card fraud prevention offices informing you of questionable activity on your account.
• A denial of government benefits to you and your child because those benefits are already being received by another account that uses your child's SSN.
• Your medical insurance plan denies your legitimate medical claim since it had been previously submitted by someone else. Your medical records were tampered with, forcing you to exceed your benefit limit.

So, what can we do to protect ourselves and minimize our vulnerability to social engineering? Let's discuss that next.

Countermeasures

To get access to the targeted company's information resources, social engineers may exploit and use human behavior (such as politeness, excitement for work, laziness, or being naive). Social engineering attacks are difficult to detect since the victim may be unaware that they have been deceived. They're extremely like the other types of attacks used to get access to a company's sensitive data. To protect itself from social engineering attacks, a corporation must assess the danger of various types of attacks, calculate potential damages, and raise awareness among its staff.

Countermeasures against social engineering

Social engineering techniques are used by attackers to persuade people to give secret information about their businesses. They employ social engineering to commit fraud, identity theft, industrial espionage, and other nefarious activities. Organizations must build effective policies and processes to protect themselves from social engineering attacks; yet, simply developing them is not enough.

To be effective, a company should do the following:

• Communicate policies to employees and give appropriate education and training.
• Employees in high-risk occupations would benefit from specialized training to protect themselves from social engineering attacks.
• Obtain employee signatures on a declaration stating they are familiar with the company's policies.
• Define the ramifications of violating the policies.

User awareness, effective internal network controls, and security policies, procedures, and processes, are the major goals of social engineering defense methods.

Users can make the best security decisions with the support of official security rules and procedures. The following safeguards should be included.

Policies for passwords

Password rules that have the following guidelines aid with password security:

• Passwords should be changed on a frequent basis.
• Passwords that are easy to guess should be avoided; answers to social engineering questions such as "Where were you born?", "What is the name of your pet?", or "What is your favorite movie?" can be used to guess passwords.
• If a user's password guessing attempts fail more than a specific number of times, the user's account will be blocked.
• Make your passwords long (at least 6-8 characters) and complex (with a mix of alphanumeric and unusual characters).
• Don't give out your passwords to anyone.

Password security policies frequently contain recommendations for effective password management, such as the following:

• Do not share a computer account.
• Do not use the same password for multiple accounts.
• Don't save passwords on your computer or write them down on a piece of paper or a sticky note.
• Passwords should not be shared over the phone, by email, or SMS.
• Before leaving the computer, be sure it's locked or turned off.

Policies concerning physical security

The following areas are covered by physical security policies:

• Provide identification cards (ID cards), uniforms, and other access control measures to the organization's employees.
• Office security or personnel must escort visitors to designated visitor rooms or lounges.
• Restrict access to certain areas of an organization to prevent unauthorized users from compromising the security of sensitive data.
• Dispose of old documents that contain valuable information by using equipment such as paper shredders and burn bins as this prevents information gathering by attackers using techniques such as dumpster diving.
• Employ security personnel in an organization to protect people and property—supplement trained security personnel with alarm systems, surveillance cameras, and other equipment.

Planning for defense

To maximize effectiveness against social engineering attacks, we must be intentional and deliberate about having a strong plan in place:

• Social engineering campaign: To see how employees might react to real social engineering attacks, a business should run multiple social engineering exercises on a varied set of people using various tactics.
• Gap analysis: A gap analysis assesses the organization based on industry-leading practices, emerging threats, and mitigation methods, using information acquired from the social engineering campaign.
• Remediation strategies: Organizations establish a detailed remediation plan to minimize the vulnerabilities or loopholes discovered based on the results of the gap analysis evaluation. The plan is mostly educating and raising employee awareness based on their positions, as well as recognizing and managing any hazards to the company.

Discovering insider threats

Insiders are responsible for most data breaches, making them even more difficult to detect and prevent. Insiders are usually aware of the organization's security flaws, which they exploit. Insider threats can be used to steal confidential information, thus it's critical to handle them cautiously. They are difficult to stop and can result in significant financial losses and company disruptions.

The following are some ways of detecting insider threats.

Controls for insider threats

For security professionals, insider data risk adds another degree of complication. It necessitates the creation of security infrastructure that allows for effective monitoring of user permissions, access controls, and user actions.

Controls for deterrence

The security framework for the organization must include safeguards, follow employee and IT professional recommendations, establish a separation of roles, and assign privileges. The security risks to the organization's key assets are eliminated or minimized by these security policies.

Data Loss Prevention (DLP) is one of the deterrence controls that security professionals must have in place to prevent insider threats. Identity and Access Management (IAM) is another tool that is also available.

The following are some of the deterrent controls.

DLP tools:

• Symantec Data Loss Prevention (https://www.Symantec.com)
• SecureTrust Data Loss Prevention (https://Securetrust.com)
• Check Point Data Loss Prevention (https://www.checkpoint.com)

IAM tools:

• SailPoint IdentitylQ (https://www.sailpoint.com)
• RSA SecurlD Suite (https://www.rsa.com)
• Core Access Assurance Suite (https://www.coresecurity.com)

Countermeasures against insider threats

Insider hazards can be prevented or minimized by implementing the following safety measures:

• Separation of duties and rotation of responsibilities: To limit the amount of control or influence possessed by any one person, divide tasks among numerous employees. This helps to prevent fraud, abuse, and conflicts of interest, as well as the discovery of control failures (such as security bypassing and data theft). The rotation of responsibilities at random periods aids in the prevention of fraud and abuse of rights in an organization.
• Least privileges: Provide users with only the level of access they need to complete their assigned duties. This contributes to information security.
• Controlled access: Unauthorized users are prevented from accessing key assets and resources by access controls in various sectors of an organization.
• Logging and auditing: Perform logging and audits on a regular basis to ensure that corporate resources are not being misused.
• Employee monitoring: Use employee monitoring software that records all user sessions and allows security professionals to evaluate them.
• Legal policies: Enforce legal policies to prevent employees from abusing the company's resources or stealing critical information.
• Archive vital data: Keep a record of the organization's vital data in the form of archives that can be used as backup resources if necessary.
• Employee cybersecurity training: Educate employees on how to safeguard their credentials and the company's confidential information. They'll be able to spot social engineering attempts and respond appropriately with mitigations and reporting.
• Employee background checks: Conduct complete background checks on all potential employees before employing them, using Google and social networking sites, as well as consulting prior employers.
• Periodic risk assessment: Conduct a risk assessment on key assets on a regular basis to identify weaknesses and implement protective solutions against both internal and external threats.
• Monitoring privileged users: Privileged users should be monitored more closely, as these accounts can be exploited to install malicious malware or a logic bomb on the system or network.
• Deactivation of credentials for terminated personnel: Disable all access profiles for terminated employees. Immediately after termination, networks, systems, applications, and data are destroyed.
• Periodic risk assessments: Complete risk assessments on all the organization's essential assets, then establish and maintain a risk management strategy to protect those assets from insiders and outsiders.
• Numerous layers of protection: Use multiple layers of defense to prevent and defend important assets from insider attacks. To thwart such assaults, develop suitable remote access policies and procedures.
• Physical security: Create a competent security team to oversee the organization's physical security.
• Surveillance: Install video cameras to keep an eye on all your important assets. On all key servers, install and enable screen-capture software.

Countermeasures against identity theft

The following are several safeguards that, if implemented, will lessen the likelihood of identity theft:

• All documents holding confidential information should be secured or shredded.
• Make sure your name isn't on any marketers' hit lists.
• Review credit card statements on a regular basis.
• Never give your personal details over the phone.
• Empty your mailbox immediately to keep mail safe.
• Suspect and double-check all requests for personal information.
• Personal information should not be made public.
• Unless necessary, do not display account or contact numbers.
• Regularly monitor your internet financial activities.
• Never give away personal identifiers, such as your father's name, your pet's name, your place of residence, or your birth city, on social media platforms.
• On all online accounts, enable two-factor authentication.
• Never share or access critical information over public Wi-Fi.
• Install host security software on your computer, such as a firewall and antivirus.

The following are some additional anti-identity theft safeguards:

• Shred credit card offers and "convenience checks" that aren't needed.
• Use strong passwords for any bank accounts and don't save any financial information on the system.
• Keep your social security card, passport, license, and other valuable personal information concealed and protected.
• Check your phone and cell phone bills for calls you did not make.
• Read the privacy policies on websites.
• Before you click on a link in an email or instant chat, use caution.

Countermeasures against phishing

Here are some additional ways and tools to protect yourself from attacks.

Anti-phishing toolbars

Netcraft: https://toolbar.netcraft.com

The Netcraft anti-phishing community is a massive neighborhood watch program that empowers the most vigilant and knowledgeable members to protect everyone in the community against phishing assaults. The Netcraft toolbar helps keep users up to date and aware of security issues on the sites they visit on a regular basis and filters harmful sites. The toolbar has a lot of useful information about famous websites. This information will assist you in making an informed decision about the website's integrity.

PhishTank: https://phishtank.com

PhishTank is an online collaborative storehouse for phishing data and information. Developers and researchers can use an open API to integrate anti-phishing data into their programs.

Tools for social engineering

Social Engineering Toolkit (SET): https://www.trustedsec.com

SET is an open source, Python-based application for social engineering penetration testing. It's a general exploit that can be used to carry out advanced attacks against humans to breach a target and force them to disclose sensitive information. Email, online, and USB attacks are all classified as SET attacks based on the attack vector utilized to deceive humans. Human vulnerability is exploited by the toolkit, which takes advantage of people's trusting, scared, greedy, and helpful natures.

Using OhPhish to audit an organization's security for phishing attacks

The goal of initiating phishing campaigns against client employees is to examine employees' sensitivity to phishing attacks and to assist the client company in reducing the risks that result when employees fall prey to phishing attacks.

OhPhish: https://ciso.eccouncil.org/phishing-solutions/

OhPhish is a web-based tool for determining whether employees are vulnerable to social engineering attacks. It's a phishing simulation tool that gives businesses a platform to run phishing simulation campaigns on their staff. The platform records the responses and gives management information.

OhPhish may be used to check an organization's security for phishing attacks utilizing a variety of phishing techniques, such as enticing to click, credential harvesting, sending attachments, training, vishing, and smishing.

You have been given some great tools and insight into identifying and countering social engineering attacks. Having a plan and educating your employees is critical to raising awareness of all the different ways a social engineer can attack.

Summary

This chapter covered the fundamentals of social engineering as well as the many stages of a social engineering attack. It also covered a variety of people-based, computer-based, and mobile-based social engineering strategies. Insider threats, including the different kinds of insider threats, were explored here. We presented an outline of social networking site impersonation and also went over the many sorts of identity theft. The chapter concluded with a detailed explanation of numerous warning indicators to look for and actions to take to protect yourself from social engineering attacks, insider threats, and identity theft.

In the next chapter, we will be discussing the process of sniffing.

Questions

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. The purpose of social engineering is __________.
   1. To create distrust with people
   2. To take advantage of human behavior
   3. Piggybacking
   4. Instant messaging
2. Phishing takes place using which of the following?
   1. Websites
   2. Email
   3. Piggybacking
   4. Instant messaging
3. How can you best avoid a social engineering attack?
   1. By hiring additional helpdesk/support staff
   2. To avoid scanning, install or upgrade a firewall
   3. Employee training
   4. An IDS logs review
4. Factors that can predispose a business to social engineering attacks are all of the following except for which one?
   1. Inadequate security policies
   2. Multiple locations
   3. Frequent, ongoing security education
   4. Unrestricted information access

Further reading

If you want to dive further down the rabbit hole with social engineering, I suggest you visit the Security Through Education website at https://www.social-engineer.org/, which is a great online resource for frameworks, podcasts, and other resources.