Cybersecurity specialist and researcher.
Hackers are good psychologists who can touch the strings of the soul for the sake of self-interest
Image source –pixabay.com
Most successful cyber-attacks are not brilliant math, software hacking in a minute, and other fantastic movie tricks. You will be surprised, but most attacks occur due to human inattention and disregard for information security rules.
For example, in Australia, the number of losses from fraud in 2021 reached $248,880,003!
Pharmaceutical and medical companies and organizations with access to confidential and biometric data remain the most coveted targets of hackers. Moreover, 75% of organizations worldwide have been phishing attacks in the past year (as you remember, phishing is one of the social engineering methods).
I am here to educate you about social engineering techniques and protect you from dangerous cybercriminals. Let's figure it out as soon as possible on this challenging topic so as not to leave hackers a single chance!
Table of Contents:
According to Verizon's 2021 data breaches investigation report, phishing has been the primary hacking method over the past year. Found that 43% of hacks are somehow related to phishing or pretext.
As I mentioned earlier, 75% of organizations worldwide have been victims of phishing attacks in the past year; another 35% of companies suffered from spear phishing, and 65% faced attacks such as BEC (Business Email Compromise).
The BEC attack is hacking and forging emails to impersonate a company executive with the target to gain access to internal employee data.
However, I draw your attention that there is a big difference between an attempted phishing attack and a successfully implemented one.
For example, in 2021, 74% of organizations in the United States suffered from successful phishing attacks. It is 30% higher than the world average and 14% higher than last year.
According to Verizon, 96% of phishing attacks carry via email. Another 3% carry through malicious websites and only 1% by telephone. Through emails, cybercriminals fraudulently obtain confidential data, which they then sell on the dark market.
For example, as of Q4 2020, the most popular phishing email subject lines were:
IBM investigated the cost of data breaches and found that the causes of data breaches depend on the level of costs that affect the business.
According to an IBM 2021 report, phishing is considered the second leading cause of data breaches and costs companies an average of $4.65 million.
Ranked #1 is a BEC attack, costing businesses an average of $5.1 million per leak.
IBM also found that companies using AI-based security solutions have significantly reduced the costs associated with data breaches. Thus, solutions for ensuring security based on artificial intelligence allowed costs to decrease from $6.71 million to $2.90 million.
In addition to emails, cybercriminals also actively use instant messengers to distribute malicious files.
For example, WhatsApp Messenger detected about 900 phishing links per day during the 3Q of 2021.
From 12 to 16 July 2021 saw a surge in cybercriminal activity: the system blocked about 4,000 malicious links a day! It is suspicious that this activity coincided with an increase in the number of detections of Trojan.AndroidOS.Whatreg. b, which registers new WhatsApp accounts from infected devices. Is it a coincidence?
Image source – kasperskycontenthub.com
Today, Internet scam is one of the most significant problems in the world. Companies are working hard to improve their corporate security, but nobody cannot guarantee the 100% safety of your data.
However, I still strongly recommend that you understand the phenomenon of social engineering to be aware and take care of the privacy of your data as much as possible.
It doesn't matter which organization is attacked. The main prey is information. There is nothing on the Earth more valuable than information; no cars and penthouses are as expensive as information.
Hackers who use social engineering methods want to get information quietly, without unnecessary witnesses and attention. After a successful cyber-attack, the criminals make several dozen copies of the stolen data not to lose their loot.
Further, as a rule, hackers resell this data and use it for their dark purposes: for example, blackmailing the data owner for financial gain.
Often, such cyber-attacks are commissioned by a competing organization that wants to eliminate a strong adversary at any cost; but sometimes hackers work alone. As you can see, the targets of cyber-attacks are very different, so it isn't easy to talk about any trend.
Hackers hone their skills daily, which is why there are many social engineering techniques. Most hackers use manipulative methods to influence the self-esteem and psycho-emotional state of the victim, thereby making him unarmed.
Lying, moral pressure, and gaslighting are the standard set of a hacker with social engineering skills. Before moving on to the analysis of the types of cyberattacks, let's see what techniques are used by fraudsters to gain moral superiority over the victim:
Still, in the meantime, I can highlight several manipulative techniques used by cyber fraudsters. So, hackers can instil a sense of guilt in their interlocutor, affect his pride or cause strong emotions: irritation, fear, joy, anger, etc.
The offender provokes a change in the psycho-emotional state of the victim, thereby making her vulnerable. It is much easier for a person in an altered state to succumb to manipulation and not notice what he would pay attention to in a calm state.
The manipulator wins since the victim is afraid to ask again (because he understands that he is unlikely to talk about what he does not understand).
Otherwise, the significance of the manipulator will evaporate, and he will not be able to "get into the trust" of the victim to get the desired information.
As you know, it is difficult to argue with the crowd alone, so the victim most often loses and is depressed.
Of course, this is only a tiny part of the manipulations that hackers use. Social engineering is woven from cunning, knowledge of psychology, and logic. Armed with these skills, the victim becomes almost powerless against the attackers.
I highly recommend re-reading the techniques I described above several times to track such manipulations if you feel that your interlocutor is playing a foul game.
Well, now I propose to next with the most interesting − the types of cyberattacks.
Of course, hackers regularly hone their skills and invent new ways to invade your privacy. However, I can still identify several types of attacks that are especially popular among cybercriminals.
The most popular social engineering method is email-phishing. Since almost everyone uses social media nowadays, creating email has become our responsibility and fertile ground for cyber fraud. However, only experienced hackers can do this kind of this social engineering method.
The point is that if the attacker is going to send a "false letter" on behalf of a person with whom the victim is familiar, it is necessary to copy the spelling style of the sender accurately.
Any little thing − and an experienced user will immediately notice something amiss. For example, I sometimes receive strange messages on behalf of my friends with a request to transfer several hundred dollars to their account urgently.
As soon as I see such messages, I immediately understand that my friends' accounts are a hack. However, elderly relatives may believe such a request and transfer money to the fraudster's bank account.
However, if the victim does not know the identity of the "sender", things become much more accessible. In addition, you need to take care of the header of the letter. It can be done using, for example, a standard mailer client.
By the way, many scammers use a telnet client when writing and sending letters. Connecting to the standard 25th port of the mail server will allow all the dark plans of fraudsters to be carried out.
A few days ago, we talked about FTP servers and why it is essential to disable some vulnerable ports of Windows, so I urge you to take care of the security of your system right now!
Important: Please disable vulnerable Windows ports if you haven't already!
Many cyber criminals use this social engineering technique to obtain the victims' bank card details. This species does not work as effectively on the younger generation as on the elderly. Hackers break into the data of social services and hospitals to obtain phone numbers of older adults and then call them, posing as bank employees.
Important: Bank employees never ask for passwords and other confidential data!
Sometimes fraudsters infiltrate the corporate network and can call company employees on behalf of superiors with a request to check the security system and name passwords and logins. Do not disclose the data and call your boss back to ensure that it really was him if you received such a call.
This type of attack includes all those in which there is no victim and no impact on it. In attacks of this type, the principles and stereotypes of society are used, which refers them to as social engineering. For example, having cameras in an organization creates a false sense of security.
Many believe it will stop the perpetrator. Be that as it may, many fraudsters have already learned to turn off the surveillance camera system in minutes and find "dead zones" where the object is out of the range of cameras.
Or, for example, the scale of an organization (like Meta) creates the feeling that the company is 100% protected from cyber threats. It is not so − absolutely everything can be hacked!
Stereotypes are everywhere − most believe that no one can hack a security organization's site. This negligence and perceived sense of security open up additional opportunities for hackers to hack.
Tech social engineering is more commonly known as situation analysis. The fraudster realizes that he will not be able to go through the usual way (standard). It begins to look at other options, i.e., is engaged in analyzing the situation where he found himself.
Important: The more you neglect information security and hope for fate, the higher the likelihood of your data being stolen.
Image source – us.norton.com
The first thing that comes to mind when I mention this attack is DDoS. Indeed, this method of social engineering is called so for a reason.
The essence of the attack is to force a person (imperceptibly for him) not to react to certain situations. In other words, to instil in the victim your unshakable authority so that the person does not doubt your words for a minute.
This attack also includes a distraction method. For example, you create a false impression that you are doing one thing. Still, you are doing something completely different. Thus, the victim, too busy with one, does not notice the other.
This type of attack is quite challenging to carry out. It is necessary to calculate well the psychology of the victim, her knowledge, and reactions to such incidents.
Let's simulate a situation: a hacker creates an emulation of an attack on a port. It is a distraction: while the administrator is busy with the "attack" logs, a fraudster can quickly enter the server and steal any information.
However, this method only works in situations where the system administrator is incompetent or poorly familiar with the corporate model of the organization. Suppose the administrator knows that the attacked port does not and cannot have vulnerabilities. In that case, he will quickly suspect something was wrong.
To successfully implement a cyber-attack, a hacker needs to understand what level of knowledge the administrator has.
Well, the icing on the cake is phishing. It is by far the most popular and frequently used method of online fraud. Many hackers use phishing because of its simple implementation and effectiveness.
At-risk are:
For example, instead of cooltechzone.com, an attacker could write cooltech_zone.com. At first glance, it may seem strange that the recipient may not notice such a difference between the original and the phishing link.
However, you do not remember by heart the exact addresses of all the portals from which you receive messages, do you? It is human inattention that fraudsters take advantage of.
Image source – us.norton.com
To stay safe, never repeat these mistakes:
I urge you never to lose your vigilance and control your emotions. If your interests do not suffer much, feel free to let go of the situation.
Today we have moved away from the usual software hacking methods and analyzed a new humanitarian branch − social engineering.
Now you know that hacking is programming skills and analyzing human feelings to achieve your goals.
Man is the main vulnerability. It is our imperfection that provokes many "holes" in systems. However, despite careless mistakes, our imperfection makes us unique − alive and emotional, unlike cold computers and routers.
My dear cyber fans, please, write if this article was helpful for you. Your opinion is critical to me.
Observe information hygiene! See you!
Leave a comment
