Date First Published: 16th May 2023
Topic: Cybersecurity
Subtopic: Threats To Systems, Data & Information
Article Type: Computer Terms & Definitions
Difficulty: MediumDifficulty Level: 5/10
Learn more about what social engineering is in this article.
Social engineering is the use of deception tactics to get a user to give away their sensitive information, like usernames, passwords, and bank details, which may be used for fraudulent purposes. Social engineering techniques don't only aim to capture sensitive information. They can also get users to install malware, give the attacker something for nothing, or give remote access to their computer. Attackers use social engineering attacks to hide their real identities and often pretend to be someone they are not.
Social engineering targets people with a lack of knowledge about scams and information security. Users might not know the risks of sharing their personal information with unfamiliar websites, installing software from websites they don't know, or giving lots of unnecessary permissions to a website or a software program. Unlike hacking, social engineering relies on user interaction, trickery, and deception rather than technical knowledge of exploiting weaknesses in systems. Therefore, recognising fake online messages and being wary of any unknown messages that ask you to share personal data can help prevent you from becoming a victim of social engineering.
Below are 8 examples of social engineering attacks:
The most well-known example of a social engineering attack is phishing. Phishing is the practice of impersonating trusted companies to steal sensitive information from users. Phishing usually comes in the form of email, where the phisher makes the message look like it has come from a legitimate company and wants the user to click on a link to a phishing site to trick them into giving their personal information away, such as card numbers, usernames, and passwords.
Pretexting is very similar to phishing, but the main difference between pretexting and phishing is that pretexting is more focused on a made-up scenario and a lie, whilst phishing doesn't always make up a scenario. Pretexting is a social engineering attack where an attacker tries to get a user to give away private or sensitive information. It is a made-up scenario created by an attacker to scare them into giving away sensitive information.
An example of pretexting would be an attacker sending a text message to someone about a non-existent missed parcel delivery. It may say that they have to click a link and pay a fee to get their parcel redelivered. The link actually takes them to a fake website only designed to get hold of their details.
Diversion theft is when a social engineer tricks a delivery company into delivering an item to the wrong drop-off or pickup location so that it goes to the wrong person, hijacking the electronic transaction. Whilst this is more of an offline social engineering attack, it can also happen online. It basically involves using deception techniques to steal items or information and get it sent to the wrong recipient. This is often accomplished by spoofing email addresses.
Translates to 'something for something'. In this social engineering attack, the social engineer promises a benefit, like a free gift card, but requires the user to give them sensitive information, like bank details and login credentials. The benefit is usually a good or service. However, it is actually a scam and the social engineer does not give the user what they promised so that they can get hold of the user's details for identity theft/fraud or install difficult-to-remove malware onto the user's computer.
Scareware is a type of malware designed to scare users into downloading and installing unwanted and often malicious software that is of little to no use to them. Scareware often tricks users into visiting malicious websites that claim that the user's computer is infected with a virus or malware without actually scanning the computer. It uses social engineering tactics to scare users into downloading fake programs or paying a fee to fix the claimed problem.
Rogue security software is a type of malware that tricks users into thinking they have viruses or malware on their computers when they actually don't and misleads them with fake detections and alerts. Rogue security software uses intentional false positives and exaggerated warnings to convince users that their computers are infected with a virus and asks them to pay for a fake virus removal tool that is actually malware itself.
Pharming is the practice of redirecting a user to a fake website that mimics the appearance of a legitimate one to collect personal information, like usernames, passwords, and bank details. It may involve hijacking the browser settings, changing the hosts file on the user's computer, exploiting vulnerabilities in DNS server software, or by a malware program installed on the user's program that runs in the background.
A watering hole attack works by an attacker identifying websites that are commonly visited by members in an organisation and infecting them with malware to infect the computers in the organisation. Even though watering hole attacks are rare, they are difficult to detect and pose a great security risk since members of the organisation are already familiar with the websites and were not expecting them to be infected with malware.
If so, it is important that you tell me as soon as possible on this page.
Network Services Network Setups Network Standards Network Hardware Network Identifiers Network Software Internet Protocols Internet Organisations Data Transmission Technologies Web Development Web Design Web Advertising Web Applications Web Organisations Web Technologies Web Services SEO Threats To Systems, Data & Information Security Mechanisms & Technologies Computer Hardware Computer Software Ethics & Sustainability Legislation & User Data Protection