Let me start off with the definition of social engineering in layman term. Social engineering is basically one person uses the information they have to manipulate their target to give up confidential or personal information. Now social engineering itself is neither good nor bad. But hackers use this skill to manipulate people to give us information that they can use to hack their target. So, it is a very dangerous “weapon” when I fall into the wrong hand.
Types of social engineering
Social engineering can happen in many ways, and each has its own scenario to shine. Let look at it one by one.
As mentioned in my previous article, phishing can be very real. I have personally created a phishing mail myself to test the cybersecurity awareness of my company and found out that phishing email tools can create an email that is as real as, well, genuine email. For that, this is also one of the few traps that people will easily fall into.
Social engineering happens both digital and real world. Pretexting is one of them. Pretexting is the situation where one person presents themselves as another person that matches their target’s criteria, so to obtain information that they want. The main thing that the attacker needs to achieve is to gain trust so that their target fell to feel comfortable to share.
The term “whaling” means that this attack aims at the “big shot” of an organization or company. It’s a form of phishing but with more personalization and careful consideration so to lure the target to get a hook. Usually will be a business-related matter that will get the boss attention.
This kind of method can be easily seen when we are visiting unsafe websites. What the attackers do when doing watering hole is that they inject code to the webpage visited by the target, and once the target visits that web, a backdoor trojan will installed to the target computer. This all happened without the knowledge of the target. However, we have a very sophisticated web browser now we just need to aware to not simply click on things when visiting a webpage.
There are more social engineering ways, but these are the few common ones that we can see happening day to day.
So, what can we do?
Get the mindset right
First thing first, build the cybersecurity awareness, for you, and for people around you. Social engineering is a very difficult test that everyone needs to take some time. If one does not have the right mentality and mindset, there is a high chance that they will fall into the trap.
The next thing to do is to slow down. Attackers aim is to make you act without thinking so that you can provide all the information you want. Don’t let them success, take a step back and think first before you act.
Keep the common sense in check
Also, one needs to know how to identify things that sound wrong. Imagine receiving an SMS from an unknown number, saying he is one of your friends and want to give you some money. Chances are, this person is not your friend. So what we need to do when facing this kind of situation is to close the phone and call that friend with the number you have. If it really is your friend, then just tell them the line drop. If not, then you have successfully saved yourself one trap.
Of course, there are more ways to handle social engineering, but all and all, what we need to do is to be careful whenever disclosing our information, regardless of who to. It is always best to see someone face to face before disclosing sensitive information.