CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Summarize Social Engineering Attacks Tutorial

1 Summarize Social Engineering Attacks

Often, people try to trick you into disclosing confidential information about our organization or personal lives by exploiting human vulnerabilities. This lesson focuses on making you aware of such situations where attacks occur in the form of, say, compelling messages that earn your trust and pique your curiosity but expose you to numerous risks. Let’s begin with the objectives of this lesson in the next screen. After completing this lesson, you will be able to: • Explain a social engineering attack along with examples, • Define forms of social engineering attacks, and • State principles of a social engineering attack that an attacker follows.

2 Social Engineering and its Common Examples

In this topic, you will learn about social engineering and a few of its common examples. We use patches to cover backdoors and antivirus scanners to detect and quarantine viruses. However, what can we do about anti-social viruses that replicate faster than the speed of light? Answer: Not a thing. Yes, we cannot quarantine such viruses, but we can take steps to keep them at bay. In Social Engineering, some people manipulate others into giving up sensitive and vital information related to their organization or institution. An example of such an attack is a phone call or an e-mail by a stranger, say, impersonating a co-worker and getting confidential company information out of you. In a social engineering attack, the attacker exploits a person’s trust or fear to retrieve some sensitive information such as authorization and financial information of the company. It is very difficult for anyone to defend against such attacks, and the only way to defend oneself is by adhering to company policies against such attacks, sharing related examples and incidents, and educating peers, thereby ensuring they do not succumb to such attacks. The attackers are generally after information that pertains to sensitive documents, passwords, network infrastructure, security policies, and account details that can expose a computer or the entire network. Now, let’s look at a few common examples or scenarios of social engineering attacks. A very common example is that of an attacker spreading the word that a commonly found virus has entered the network. When an employee receives such an e-mail, it directs the employee to locate and delete the file in the database because it contains this malicious virus. However, this file could contain valuable information related to an upcoming project. Another example is that of a secretary or receptionist receiving a call from an unknown person, claiming to be a client and asking for the CEO’s or Director’s details. Though there can be countless examples, we will discuss one more where a person enters an office pretending to be a technician to fix an issue or a reported leakage. However, the actual purpose of such an individual is to simply gain access to the office building with a fake identity. Since the social engineering attacks target the human mind, we cannot use a protective shield to save ourselves. However, getting trained, and educating fellow employees and friends is the only method to stay protected against such attacks. But as a precautionary measure, it would be vital to consider the following points: • Learn about the common signs to recognize social-engineering attacks. • Ensure, you authenticate and verify the person before sharing any company information. • Do not communicate any restricted information over the phone. • Verify the credentials of a repair person and ensure that a real service call was placed by an accredited employee, and • Never follow instructions in an e-mail without confirming the information with at least two independent and trusted sources.

3 Forms of Social Engineering Attacks

In this topic, you will learn about different forms of social engineering attacks.\ Now you know what social engineering is, it is time to learn about different forms of social engineering attacks. These include shoulder surfing, impersonation, tailgating, dumpster diving, and others. Such attacks generally take advantage of human errors and vulnerabilities. Let’s learn more about them. It could be safe to say that one time or the other, all of us will have been in a situation where someone intentionally peeps over your shoulder at your computer screen while you are typing something. This is known as shoulder surfing. This is a popular form of social engineering attack, wherein the person watching has an eye on the sensitive data displayed on your screen. With this attack, the attacker can steal your password, credit card number, or any other sensitive information. The best defense against this type of attack is to survey your environment before entering any personal data, and ensure that employees dealing with sensitive data operate within locked rooms. It is a general practice after reading a printed document for people to crumple the piece of paper and throw it into the dustbin. But people don’t realize that the information in that paper is not actually destroyed, and if it is of sensitive nature, it can be misused. Dumpster diving is the act of retrieving sensitive information from the trash of the targeted company or individual. So it is recommended to either shred or burn sensitive documents. An important part of document management is the secure disposal of documents with sensitive information. Moreover, you need to ensure that secure disposal techniques are employed to discard storage media such as unused portable hard drives and flash drives. In this form of social engineering attack, the attacker poses as someone closely associated with the victim. The purpose of this attack is to trick the victim into believing you are the person you are claiming to be, and then with authority extract all the required information that is confidential and sensitive. Now, let’s look at two common impersonation forms. The first is creating fake accounts. In this type, the attacker creates fake accounts or poses as a colleague or as a friend of your peers, and retrieves the required information while communicating with you. The attacker even steals personal information such as name, date-of-birth, social networking site account information, and other contact details. Another form of impersonation is known as pretexting wherein the attacker creates a false situation as a pretext to carry out the attack. A hoax is referred to as an attack designed to trick the user into committing the required action or crime. Hoaxes aim at reducing IT security and use mediums such as phone call, e-mail, or text message. Using any of these mediums, the hoax attacker states the threat in way that it mentally disturbs the victim. Taking advantage of this situation, the attacker puts forward a solution, which may seem right at that moment, but, in reality, is compromising the network security or benefitting only the attacker. The solutions generally include deleting certain files that change the OS configuration settings or disarm the defense mechanisms. Moreover, hoax e-mails generally encourage victims to send the message to everyone in their contacts list. This should be strictly avoided. Phishing has another form, referred to as Whaling. In this form, the attackers target top-level executives, generally by their title and industry, to send messages tailor-made for such individuals.

4 Principles Followed to Increase Power or Strength

In this topic, you will learn about what social engineering attackers do to increase their power or strength. The Social Engineering attacks work well because the attacker plays with the human mind that is not always rational. The decision making depends on several factors, such as the emotional state, fear, or momentarily happiness. The attacker takes advantage of such factors and plans the attack accordingly. Though the success rate of such attacks is not very high, the current rate is enough for such attackers to bring down servers of large organizations and steal their trade secrets. Like every action or attack, even the Social Engineering attack is based on certain principles. Now, let’s explore those commonly employed in such attacks. Authority is a principle with the highest success ratio. It is human nature to bow down to someone who holds a higher position. The attacker uses this mindset and lays a trap to convince the victim he or she is inferior. The attacker can pose as an internal department head, an external auditor, a utility inspector, a law enforcement officer, a pest terminator, or a debt collector, to claim the authority. Some attackers may do this verbally, while others use impersonated access cards or and dress up to play the part. In simple words, intimidation is overpowering people’s thoughts and making them believe they need to follow instructions. In Social Engineering attacks, intimidation is derived from the principle of authority. Here, the attacker is high on confidence and is prepared to go to any extent to exploit the victim. However, expert attackers are careful before plying this principle, as it wouldn’t be effective if the victim has a confident mindset. For this to be successful, there should be uncertainty prevailing in the air; operational procedures have loose ends, or there is pressure to complete a task, and there no one to lead the team. At such critical situations, when there is no time for anyone to think or react, the attacker steps in, proclaims authority, and makes the victims comply. Consensus or social proof is a social engineering principle wherein the attacker gives the proof of a previously accepted action or an illegitimate norm as the reason to carry out the attack. Bartenders asking for 15% tip only because they are certain there are people who don’t mind paying that is an example. To execute such an attack, the attacker needs more of convincing skills rather than authority. Playing with words is the key. How many times have we heard that the offer is valid only for a limited time? This is nothing but a form of social engineering attack, that is, Scarcity. Here, the attacker influences your decision by telling you that you’d better hurry that it is selling like hot cakes or that the product won’t be manufactured anymore. Urgency and scarcity go hand-in-hand. Scarcity creates a fear of missing out on the opportunity to purchase the product, whereas urgency is a method of quickly getting a response from the target and not getting them the time to think or evaluate other options. We all receive messages and friend requests on our social media accounts from strangers claiming that they are friends with someone whom we know. At such situations, we believe them as our mind is trained to accept someone familiar. However, attackers take advantage of this mindset and make you develop a liking toward them. This is generally their first objective. Once this is achieved, they proceed with their main objective of extracting the information or exploiting you for their own benefit. This is the social engineering principle wherein the attacker plans every move to perfection and develops a bond based on trust. Since developing such a bond may take months, patience is certainly a virtue in this case. It is seen that generally experienced attackers carry out an attack using the principle of Trust. But once trust is gained, the attacker shows its true colors, and executes a plan of obtaining the required information or performing the desired action.

6 Summary

Let’s summarize the topics covered in this lesson. • In Social Engineering, some people manipulate others to give up sensitive and vital information related to their organization or institution. • Getting trained and educating fellow employees and friends is the only method to stay protected against Social Engineering attacks. • Shoulder Surfing, impersonation, tailgating, and dumpster diving are some of the forms of Social Engineering attacks. • Authority, Intimidation, Consensus, Scarcity, and Trust are some of the principles of Social Engineering attacks. With this, we conclude this lesson “Summarize social engineering attacks and the associated effectiveness with each attack.” In the next lesson, we will look at “Explain types of wireless attacks.”

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*