Feb 09 2023

What is Social Engineering? How Does it Work?

Category: social engineeringDISC @ 12:09 am

Social Engineering is a technique that is performed by cybercriminals who indulge in exploiting human weaknesses. The act of Social Engineering involves various techniques all of which involve the manipulation of human psychology.

Threat actors rely especially on Social Engineering in order to easily gain sensitive information from victims. Social engineering attack depends on building trust with the victim so that he never suspects in giving out his/her personal information such as phone numbers, passwords, social security number, etc.,

This technique is proved to have been the most successful one when it comes to hacking into an organization’s network. Hackers can disguise themselves as an IT audit person or an external network administrator and easily gain access inside a building without suspicion. Once they are inside an organization, they follow various other social engineering techniques to compromise their network.

One of the greatest weaknesses, an organization can possess is the lack of information security knowledge with its employees. This lack of knowledge in cybersecurity gives a great advantage for hackers to perform attacks causing data breaches in the organization.

Social Engineering

Social Engineering attack Types

There are lots of social engineering attacks that can be used by threat actors. Some of them are,

1. Phishing
2. Vishing
3. Spoofing
4. Tailgating
5. Quid pro quo
6. Baiting

1. Phishing

Phishing is the most simple and effective attack a hacker can use to steal credentials like username, password, social security number, organization secrets, or credit card details. Sometimes phishing is also used to spread malware inside a network. In general,  Phishing involves Social engineering as well as Spoofing

2. Vishing

Vishing is similar to phishing, which involves calling the victim and pretending as a legitimate caller. Once the victim believes without suspicion, it will be easy for the hacker to gain sensitive information such as network structure, employee details, company account details etc., 

3. Spoofing

Spoofing is a type of attack where, “what we see will look like it, but it is not”.In terms of Cyber Security, Spoofing is nothing but disguising as a legitimate source in order to gain sensitive information or to gain access to something. An attacker can trick us into believing that he is from the original source by spoofing. 

4. Tailgating 

Tailgating or piggybacking is a technique followed by threat actors to enter an organization building. During this attack, the threat actors wait for an employee/ a person to enter inside a place where the access for outsiders is restricted and follow them inside the building once they use their access cards or access key to open the door.

5. Quid pro quo 

Quid pro quo in Latin means “a favor for a favor”. In this case, the hacker communicates with an employee of a company and offer them a deal. Either money in exchange for information or anything the employee would wish.

In most cases, money is the main motto. Hackers communicate with a present employee or an ex-employee and ask to give away sensitive information such as administrator privilege, administrator password, network structure, or any other data they require in exchange of the employee’s wish.

Hackers convince the employees to give away the information by making a personal deal with them. This is considered one of the serious threats in an organization because the information is given away intentionally by an employee.

 6. Baiting 

As the word describes, hackers create baits such as USB flash drives, CD-ROM’s, Floppy disk or Card readers.

They create folders inside the devices such as Projects, revised Payrolls of the organization and drop them in sensitive areas(Elevators, Rest Rooms, Cafeterias or Parking lots) where employees would keep it usually.

Once an employee picks up and inserts the USB in their computer, the script inside the device runs and gives full control to the hackers. This method of Social Engineering is called as Baiting.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Baiting, phishing, Quid pro quo, spoofing, tailgating, vishing

Leave a Reply

You must be logged in to post a comment. Login now.