The Basics of Social Engineering

Social Engineering

For the past weeks we have been discussing key differences between spam and phishing, as well as key traits of both. Now it’s time we talked about what’s behind spam and phishing, more precisely social engineering. Social engineering is the basic understanding of human psychology and common thinking biases.

What is Social Engineering?

Social engineering in information security is a way of breaking into systems or bypassing security systems by exploiting human psychology weaknesses.

Therefore cyber criminals won’t try to exploit a software vulnerability, but a human one – the weakest spot of every security system. Many security chiefs have complained that most breaches are a result of human error, as individuals persuaded by criminals have been classified as a human fault.

The fact is that social engineering can trick even the best in this industry and, without any training whatsoever, employees are prone to getting tricked by criminals.

Short history of Social Engineering

Social Engineering has its roots in the famous “confidence trick”, also known as “con game”, short for “confidence game”. The confidence trick is basically an attempt to trick someone or a group of individuals by gaining their trust and exploiting basic psychological characteristics such as dishonesty, greed, naivety, compassion or vanity. The confidence trick splits into: the short con, done in just a few minutes or an hour at most, and the long con, which takes days or weeks to unfold.

There are a few notable cons in information security that are worth mentioning. For example, Chris Nickerson who breached a company on a security penetration test just by wearing a $4 Cisco t-shirt. During the breach, he managed to drop a few USB sticks infected with malware and also convinced some other team members to join him.

How is social engineering used over email in spam or phishing?

As we have pointed out in our last two articles about spam and phishing traits, social engineering, often used in phishing scams, relies on triggering two basic human emotions: fear and joy.

Now it’s safe to say that a criminal with social engineering skills will always try to trick you into giving away your password, rather than brute-forcing it; unless you have a very weak password.

The basics of email security rely on who and what to trust, but also on knowing when to believe someone or something.

In email security, cyber-criminals may leverage one email account to send phishing to known contacts in order to hack others. These phishing emails contain most of the time links to certain web pages or malicious attachments accompanied by some compelling story.

As we have also noted earlier, these stories are either good or bad and always tempting. Bottom line? Don’t do it! It’s a trap!

The good

Emails that bring good news are most commonly known as lottery or tax return scams. Never answer to this type of emails and never download attachments or click on any links. You can’t win a lottery from whichever African country, there’s no prince of Nigeria who wants to donate you cash and you’d better check your tax returns with your local tax department; face-to-face, not over email.

The bad

Bad news emails most often contain some of the following: you got a fine, you need to verify bank information due to suspicious activity, an acquaintance  needs some cash immediately or you are required to donate for a mysterious charity helping victims of a natural disaster. First of all, the FBI won’t send you fines over email. Second, never check banking details over the internet and always make sure you are on the right page (see SSL Certificate). Last but not least, if a friend needs cash, it’s always better to call them and see if it’s really them. Regarding charity donations, it’s better to go there in person and support the cause you want.

The temptation

If it’s social engineering, it’s either good or bad, but always tempting. This is the result of social engineering, as the final goal of social engineering is to trigger basic emotions or take advantage of cognitive biases.

Short recap:

  • Don’t hurry! Take a breath and read the email again.
  • What if you do a bit of research?
  • Small dose of suspicion when receiving emails from unknown sources can help a lot.
  • Stay aware from requests. Read the above steps again and don’t submit your personal and financial information or credentials.
  • Don’t give in to helping people you don’t know.
  • Don’t click on links.
  • Don’t download attachments.

Overall, try and implement any of the above steps in your email handling habits  and ensure you have deployed a professional email security solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s