Prevention from Phishing and Social Engineering on Social Media

Social Engineering and Phishing: Visible Crime Through the Invisible Way

  One of my close peers was quite disturbed last week. I asked her to share whatever was pestering her. She told me that someone had used his credit card credentials to buy precious goods from an online store. She was bothering about her financial losses and had just lodged an application to the cybercrime department.   Upon her gloom, I immediately shared some social media phishing statistics with her. Unfortunately, she knew a little about what is social engineering and phishing! I was therefore supposed to explain her phishing attacks and phishing detection tools and techniques. Upon insisting, she disclosed the instance of sharing her credentials in the response to an email that motivated her to claim a huge lottery. The scammer was constantly in communication with her and prepared her to leak out her own secrecy. Before I could continue with the valuable information-sharing, she asked me some relevant questions:      

What is social engineering and phishing?

Social Media phishing is one of the various forms of social engineering which is a wider terminology to classify cybercrime tools. Social engineering, under the auspices of information technology, revolves around various tricks used to draw competent personal information from the users for some falsified activities. It is the art of influencing human psychology to gain potential information for criminal activities. Social engineering   Apart from social media phishing, social engineering encompasses baiting, pre-texting, quid pro quo, spear-phishing, and tailgating. Phishing is simply the theft of your confidential data-name, identity numbers, credit card information, and passcodes – in an electronic environment. Phishing on Credit Card  

What percentage of phishing attacks take advantage of social networks?

According to the Microsoft Security Intelligence Report, 84.5% of all phishing attacks target social network site users.   According to Verizon Data Breach Investigations Report (DBIR) 2017, 93% of social attacks were phishing related. And Symantec Internet Security Threat Report 2018 claimed that 71.4% of targeted attacks involved the use of spear-phishing emails.  

How social media phishing attacks are crafted?

The attackers use common types of phishing, some of which have been drafted underneath for your guidance. Skimming the basic know-how of phishing could save you from the plausible worries.  

Phishing Kits and Phishing

A Phishing Kit actually is the backstage for the attackers to launch targeted phishing attacks. Being the web component, phishing kits pose enough arrangements to replicate top brands and companies. These kits are quite capable to even affect the websites controlled and sustained by the IT giants: Google and Apple.   One of the most common types of social engineering attacks is phishing. In phishing, the user is convinced for installing a particular program, and often the user is taken into a trust that the program is from a trusted source and is genuine, while in reality, it is not the case. Sometimes the users are tricked into sharing the personal, business, or financial information via email, chat applications, and by joining various websites. For example, there are multiple websites that ask for sharing your Facebook or Google profile. Some phishing attackers contact various users on the name of asking for charity while the main reason is to get your financial information such as bank account type and IBAN. Banking perhaps is the most vulnerable sector for phishing attackers.

Vishing

Phishing becomes vishing when executed on the telephonic calls. The hackers, attackers and offenders call the targeted persons, employees, and organizations directly and start the fishy story based on social engineering psychology.

Baiting

In baiting, the attacker or hacker tries to transmit malware to your personal computer through infected devices such as USB or CD. Once a person installs the program or transfers the data from such an infected device the attacker could get access to one’s system and thus can use the device for his purpose.  

Pre-texting

This kind of social engineering attack occurs when the attacker presents false circumstances and compels the client to share your sensitive data. Instances have been reported where the attacker might act as trusted financial industry that asks for your account information for verifying your identity at their website.  

Quid Pro Quo

It is really fascinating for the users to exchange their information for getting a special discount on buying the desired item or getting a free gift. Such kinds of offers are presented to manipulate the users for sharing their data. Quid Pro Quo is a Latin term which means the exchange of goods and services and establishes the concept of ‘give and take’.  

Spear Phishing

Spear Phishing is really specific in nature as it focuses on specific users or organizations. Such phishing attacks aim at building virtual contact. Free favor is extended initially and later on users are divulged into sharing their personal, sensitive information. Historically, these attackers have higher success rates.   Usually, governments do not have much control over social media. So the illiberal regimes also try to get into these tactics as the public can easily believe them. This has led to the weaponization of social media spear phishing and cyberattacks on democracy.

Tailgating

Unlike other types of social engineering attacks, the concept of tailgating is physical in nature. In tailgating, an unauthorized individual or attacker follows an authorized attacker with an aim to get a chance to get access to relevant information. Such a person might ask for your laptop or phone for a minute as a favor and may tell you that he just has to send a text or email to his close acquaintance.  

Three components of social engineering

Social engineering is the art of what three things? The question is quite valid and needs fair consideration. It's an art of manipulating, Influencing, and Deceiving. The technical fitness of hackers creates an environment to process through their bad intentions. To you, learning the technical knowledge of elements of social engineering is vital.

Google Dorks

Google search becomes the entry point for phishing attacks. Especially crafted google searches are termed as the Google Dorks. This is also called Open Source Intelligence Gathering (OSIG or OSINT). It is therefore recommended for the employees to take extra care while selecting Google images for their official use. In the same stream, the phishers use hi-tech tools to accumulate data for misuse in the future. It is very easy for attackers to identify employees’ socialization platforms. Limiting access to highly confidential data could cope with the phishing attacks.  

Supply Chain Attacks

Phishing attackers use two channels to access the data of potential companies.  
  1. Direct access to a company’s website and an internal communication mechanism
  2. Indirect access through the supply chain: vendors and suppliers
  Contemporary POS thus appears to be more vulnerable to the attackers who try to position themselves somewhere in the whole supply chain and sound to sign a contract for rendering outsourcing services. The whole story does start here and the target company incurs financial losses in the short-run.  

Email Oriented Attacks

The use of emails for phishing purposes has been very common through the digital age. The attackers write a researched and convincing story to either win your sympathy or motivate you to take initiative. Through emails, the phishing experts launch malware and infected links to your inbox. As soon as you click on the link or open the attachment, the process of phishing starts. Many of us have listened about the chiefs of Nigerian countries who, the scammers, motivate their target to transfer money to them for partnership or other logical purposes. Anyhow, the people now know all about these attacks and know how to avoid such tactics. If you have put the auto-downloading off, email phishing could not harm you. how to investigate phishing email  

How to detect phishing attacks?

It is quite imperative to detect phishing attacks before you get affected by the treacherous network of the attackers. Keeping an eye on the following could help you detect heinous phishing attacks.    

Popular social engineering attacks

Let me include some known social media phishing examples to highlight the gravity of phishing attacks! A few years ago, a phishing attacker used the counterfeit profile of Mark Zuckerberg, the famous director of Facebook. His fake profile was used to send emails to many for congratulating them that they had won the official lottery. The attacker then asked for the personal and bank details to disburse the amount of lottery. Several people became victims consequently.   Most people pretend to belong to the war-hit countries – Syria and Iraq – and request the target to disclose his complete bank account information for depositing a huge share of legacy. They simply give the reason that the war has abolished their commercial life and they want to keep their money in safe hands. Through tactics of social engineering psychology, scan the targets and take no mercy on you.   The New York Times, a reliable newspaper, reported an instance where the attackers phished a retired army officer. He was approached for disbursement of his lottery funds amounting to $ 750,000. He was asked to deposit disbursement charges or more than a $1000. He did it and finally got no response from the attacker.  

Prevention and protection from social phishing attacks

Best phishing protection could be achieved by taking a few small things into account. Moreover, you could use phishing detection tools and techniques to avoid unwanted attacks.