Social Engineering is a term used to define the methods of manipulation that trick people into giving up confidential information. This confidential information includes personal identifiers, such as date of births, social security numbers, addresses, and phone numbers. Additionally, if the overarching target of the social engineering attack is a larger organization, authorization and log in credentials can be stolen to allow hackers access to sensitive company data.
Here are some examples of social engineering attacks:
- Spoofed email name/address – It is possible for an attacker to find a name of someone you trust and use that for their email account. Once they send you an email, usually asking about sensitive information, you would read the sender name and automatically assume it is a trusted user. At this point you would divulge any pertinent information, thus making the attack complete.
- Physical impersonation – As the old adage goes, if you look like you belong, almost no one will question you being there. There have been numerous reports of people sneaking into facilities in plain sight, just by disguising themselves using construction gear or authoritative looking ID badges. This gives an intruder free reign in the facilities they target.
- Fake website/program downloads – When people are on the hunt for software they need to perform an urgent task, chances are they will just Google the name of the software and click on the first link that seems legit, usually containing “free download” in the title. Or maybe they are a bit more thorough in their vetting and take a glance at the websites URL, seeing that it checks out. Except, instead of a lowercase L the website has an uppercase i in the link. This will lead the user to a fake webpage, where they will download a malware ridden executable, most likely infected with a keylogger. This will then begin to record all the information that gets transmitted using the exploited computer, leaking all sensitive information.
Social engineering is one of the leading attack methods utilized by hackers at this time. According to an article by PurpleSec, in 2018 there were 812.67 million total malware infections, and of those infections, 92% were delivered by email, most of which likely came from spoofed email address and display names.
The sheer amount of information being stolen and money being lost to these attackers is a clear reason as to why social engineering is a problem, and why we chose to write a research report on the subject.
