Social Engineering and Phishing: Visible Crime Through the Invisible Way
One of my close peers was quite disturbed last week. I asked her to share whatever was pestering her. She told me that someone had used his credit card credentials to buy precious goods from an online store. She was bothering about her financial losses and had just lodged an application to the cybercrime department.
Upon her gloom, I immediately shared some social media phishing statistics with her. Unfortunately, she knew a little about what is social engineering and phishing! I was therefore supposed to explain her phishing attacks and phishing detection tools and techniques.
Upon insisting, she disclosed the instance of sharing her credentials in the response to an email that motivated her to claim a huge lottery. The scammer was constantly in communication with her and prepared her to leak out her own secrecy. Before I could continue with the valuable information-sharing, she asked me some relevant questions:
- What is social media phishing?
- How to detect phishing attacks?
- How are social network site frauds perpetrated?
- What to do if you fall victim to some phishing attack?
What is social engineering and phishing?
Social Media phishing is one of the various forms of social engineering which is a wider terminology to classify cybercrime tools. Social engineering, under the auspices of information technology, revolves around various tricks used to draw competent personal information from the users for some falsified activities. It is the art of influencing human psychology to gain potential information for criminal activities.
Apart from social media phishing, social engineering encompasses baiting, pre-texting, quid pro quo, spear-phishing, and tailgating. Phishing is simply the theft of your confidential data-name, identity numbers, credit card information, and passcodes – in an electronic environment.
What percentage of phishing attacks take advantage of social networks?
According to the Microsoft Security Intelligence Report, 84.5% of all phishing attacks target social network site users.
According to Verizon Data Breach Investigations Report (DBIR) 2017, 93% of social attacks were phishing related. And Symantec Internet Security Threat Report 2018 claimed that 71.4% of targeted attacks involved the use of spear-phishing emails.
How social media phishing attacks are crafted?
The attackers use common types of phishing, some of which have been drafted underneath for your guidance. Skimming the basic know-how of phishing could save you from the plausible worries.
Phishing Kits and Phishing
A Phishing Kit actually is the backstage for the attackers to launch targeted phishing attacks. Being the web component, phishing kits pose enough arrangements to replicate top brands and companies. These kits are quite capable to even affect the websites controlled and sustained by the IT giants: Google and Apple.
One of the most common types of social engineering attacks is phishing. In phishing, the user is convinced for installing a particular program, and often the user is taken into a trust that the program is from a trusted source and is genuine, while in reality, it is not the case. Sometimes the users are tricked into sharing the personal, business, or financial information via email, chat applications, and by joining various websites.
For example, there are multiple websites that ask for sharing your Facebook or Google profile. Some phishing attackers contact various users on the name of asking for charity while the main reason is to get your financial information such as bank account type and IBAN. Banking perhaps is the most vulnerable sector for phishing attackers.
Phishing becomes vishing when executed on the telephonic calls. The hackers, attackers and offenders call the targeted persons, employees, and organizations directly and start the fishy story based on social engineering psychology.
In baiting, the attacker or hacker tries to transmit malware to your personal computer through infected devices such as USB or CD. Once a person installs the program or transfers the data from such an infected device the attacker could get access to one’s system and thus can use the device for his purpose.
This kind of social engineering attack occurs when the attacker presents false circumstances and compels the client to share your sensitive data. Instances have been reported where the attacker might act as trusted financial industry that asks for your account information for verifying your identity at their website.
Quid Pro Quo
It is really fascinating for the users to exchange their information for getting a special discount on buying the desired item or getting a free gift. Such kinds of offers are presented to manipulate the users for sharing their data. Quid Pro Quo is a Latin term which means the exchange of goods and services and establishes the concept of ‘give and take’.
Spear Phishing is really specific in nature as it focuses on specific users or organizations. Such phishing attacks aim at building virtual contact. Free favor is extended initially and later on users are divulged into sharing their personal, sensitive information. Historically, these attackers have higher success rates.
Usually, governments do not have much control over social media. So the illiberal regimes also try to get into these tactics as the public can easily believe them. This has led to the weaponization of social media spear phishing and cyberattacks on democracy.
Unlike other types of social engineering attacks, the concept of tailgating is physical in nature. In tailgating, an unauthorized individual or attacker follows an authorized attacker with an aim to get a chance to get access to relevant information. Such a person might ask for your laptop or phone for a minute as a favor and may tell you that he just has to send a text or email to his close acquaintance.
Three components of social engineering
Social engineering is the art of what three things? The question is quite valid and needs fair consideration. It’s an art of manipulating, Influencing, and Deceiving. The technical fitness of hackers creates an environment to process through their bad intentions. To you, learning the technical knowledge of elements of social engineering is vital.
Google search becomes the entry point for phishing attacks. Especially crafted google searches are termed as the Google Dorks. This is also called Open Source Intelligence Gathering (OSIG or OSINT). It is therefore recommended for the employees to take extra care while selecting Google images for their official use.
In the same stream, the phishers use hi-tech tools to accumulate data for misuse in the future. It is very easy for attackers to identify employees’ socialization platforms. Limiting access to highly confidential data could cope with the phishing attacks.
Supply Chain Attacks
Phishing attackers use two channels to access the data of potential companies.
- Direct access to a company’s website and an internal communication mechanism
- Indirect access through the supply chain: vendors and suppliers
Contemporary POS thus appears to be more vulnerable to the attackers who try to position themselves somewhere in the whole supply chain and sound to sign a contract for rendering outsourcing services. The whole story does start here and the target company incurs financial losses in the short-run.
Email Oriented Attacks
The use of emails for phishing purposes has been very common through the digital age. The attackers write a researched and convincing story to either win your sympathy or motivate you to take initiative. Through emails, the phishing experts launch malware and infected links to your inbox.
As soon as you click on the link or open the attachment, the process of phishing starts. Many of us have listened about the chiefs of Nigerian countries who, the scammers, motivate their target to transfer money to them for partnership or other logical purposes. Anyhow, the people now know all about these attacks and know how to avoid such tactics. If you have put the auto-downloading off, email phishing could not harm you.
How to detect phishing attacks?
It is quite imperative to detect phishing attacks before you get affected by the treacherous network of the attackers. Keeping an eye on the following could help you detect heinous phishing attacks.
- The phishing attackers like purchasing the domains that are usually misspelled and resemble some popular ethical domain. For example, social engineers may launch gimletrnedia.com parallel to gimletmedia.com to get the victims engaged emotionally and psychologically. Similarly, you may receive a phishing email from totalpet.com for some fake hiring and showing that Total Petroleum is interested to hire you. If you are the relevant person in the same industry, it is more likely for you to be scammed within few days.
- Ill-written emails, stuffed with incorrect orthodoxy design, are always phishing attacks. This is because the true emails from an authenticated company could never be full of grammatical mistakes.
- Genuine organizations always send emails from their official domain names. Be aware of the intentions of the hacker if you receive an official email from some public domain: gmail.com or hotmail.com.
- Voice calls from unknown sources are often vishing attacks. It is better to not receive such calls to avoid plausible threats of social phishing attacks.
- Instead of approaching an individual, the attackers craft the systematic email and send it to thousands of receivers simultaneously. The probability of phishing victims increases this way. If you suspect that the same email has been sent to the multiple receivers, make sure someone is trying to harm you.
- In the contemporary age of social media, fake accounts with photographs of the celebrities are inciting the people to engage with what they say and win a handsome amount as the cash prize. They then lead your nerves to derive the required data from you for your financial or reputational exploitation. Never take part in like such pages irrespective of the destination of these pages. This is therefore essential to know how to detect phishing attacks.
- Phishing attackers use infected links and attachments and motivate their prey to either download the malware-infected attachment or click on the link enclosed. Such links, usually, take you nowhere except connecting you to some mock website. A click on a viral link sometimes is enough to have access to your personal data and location, which further sets the stage to rob you of your confidential data.
- Unessential and irrelevant google searches may take you to the ruthless world of social phishing. Stop yourself from searching for unnecessary things on the Cyber Kingdom.
Popular social engineering attacks
Let me include some known social media phishing examples to highlight the gravity of phishing attacks! A few years ago, a phishing attacker used the counterfeit profile of Mark Zuckerberg, the famous director of Facebook. His fake profile was used to send emails to many for congratulating them that they had won the official lottery. The attacker then asked for the personal and bank details to disburse the amount of lottery. Several people became victims consequently.
Most people pretend to belong to the war-hit countries – Syria and Iraq – and request the target to disclose his complete bank account information for depositing a huge share of legacy. They simply give the reason that the war has abolished their commercial life and they want to keep their money in safe hands. Through tactics of social engineering psychology, scan the targets and take no mercy on you.
The New York Times, a reliable newspaper, reported an instance where the attackers phished a retired army officer. He was approached for disbursement of his lottery funds amounting to $ 750,000. He was asked to deposit disbursement charges or more than a $1000. He did it and finally got no response from the attacker.
Prevention and protection from social phishing attacks
Best phishing protection could be achieved by taking a few small things into account. Moreover, you could use phishing detection tools and techniques to avoid unwanted attacks.
- Ignore any request that asks for your personal details
- Read terms and conditions before sharing data with any website
- Set spam filter on and keep a watch
- Give charity only at the established and well-known organizations
- Install updated anti-virus software, anti-phishing software and activate email filters
- Even if you get an email or link from someone trusted, keep in mind that their account might be hacked so confirm from them via any other source before sharing any sensitive information
- Never click on website links unnecessarily and learn how to investigate phishing emails. Big companies usually arrange training for their employees to learn how to prevent phishing attacks. Regular phishing awareness email to employees could be instrumental
- Understand the URL structures to protect you from phishing attacks
- You may read some articles for an in-depth understanding of phishing prevention best practices
- Hyperlink detection could be effective in this regard
- Email Phishing Filters – such as PILFER – could be considered to avoid attacks
- Multinationals and huge companies usually rely on Phishing Awareness Campaigns for better results.