Social Engineering Part 2: Learn all about Phishing
- Updated at
- By Naty Santos
- Malwares
As we saw in the last article, cybercriminals can also use non-digital methods to attack users and organizations.
Today we will discuss the social engineering method called Phishing. We will learn how to identify them, remove them, and prevent them from happening.
Table of Contents
Definition
Social engineering is a manipulation technique that exploits human error to gain private access to information and systems. In cybercrime, attackers use social engineering to lure unsuspecting users into exposing sensitive data, spreading malware, or giving access to restricted systems.
Type of attacks
There are two types of Social Engineering:
- human-based (no-tech hacking)– deal with tactics that require personal interaction to reach the target,without using technological resources.
- technology-based– use technological resources to reach the target (e-mail, telephone, social networks, websites, instant messaging, etc.).
Technology-based attacks
Phishing
A type of quid–pro–quo (something for something) tactic, in which an attacker requests personal information from the victim in exchange for something else. The attacker baits the user into sharing confidential information in order to gain access to their accounts.
How it works?
The user receives a malicious email or SMS where the sender appears to be from an institution with credibility like a government or financial institution. In the content of the email or SMS there is a request for action – click this link, download this file, or request for information.
Types of Phishing Attacks:
- Blind Phishing: the most common of all, Blind Phishing is instituted by mass emails that contain malicious links.
- Spear Phishing: when the attack is directed at a specific group, for example, government agencies. It aims to access the systems database, to obtain confidential or financial information.
- Clone Phishing: this scam clones an original website to attract users. Users access these fake websites and enter registration information which is then transmitted to the attacker.
- Whaling Phishing: C-level executives and similar positions are targeted in this attack. These usually appear as court subpoenas or internal business notices.
- Vishing: when voice mechanisms are used to deliver attacks. An example of this is when a victim receives a text message or phone call stating that their card has been blocked. The attacker will then ask for confidential information in order to release the block on the card. Cybercriminals often use VoIP to hide their identity.
- Pharming: attackers create a URL which can be accessed through a legitimate search engine like Google. When the victim clicks on the URL, they are directed to a fake web page that has been created to collect confidential information.
- Smishing: Phishing attacks carried out via SMS messages that are aimed at producing an emotional response from the user. These messages can include information about supposed debts owed by the victim, unknown inheritances, or lottery winnings.
- Impersonation: in this attack, the cybercriminal impersonates another person with the objective of obtaining the user’s private information. This information will then be used to gain access to other departments and systems.
How to recognize a social engineering scam
Any unsolicited contact through phone, text, or email should be carefully considered, especially if it includes a request to click on a link.
Social Engineering Examples:
- A user receives an unsolicited lucrative offer that can be claimed by clicking on a link. These links are often specifically designed to steal personal information.
- A user receives an anonymous notification of an award for travel, sweepstakes, inheritance, cars, cell phones, etc. with a link for award acceptance.
- Emails requesting an immediate response to avoid missing the “chance of a lifetime” with a link to accept your reward.
- Emails, phone calls, or text messages claiming, “service has been suspended” or “your account has been blocked”. Always contact the institution directly with a verified phone number to verify these claims.
How to avoid social engineering scams
- Pay attention to message attachments. Account statements, proof of deposit, finesor even job offers are used topersuade the user to click on links that contain viruses.
- Don’t open messages from senders you don’t know.
- Never provide a password or financial data. Legitimate institutions will never ask for your password.
- Always check the email address of any suspicious messages before opening the email. Phishing communications usually contain misspelled words and a false URL.
How to remove malicious files from a Social Engineering attack
The best way to avoid Social Engineering is to stay vigilant and follow the guidelines above. If you think you have been the victim of a Social Engineering attack, there is software available, like AVG, that can detect and remove malicious files.
VaultOne prevents these data breaches by protecting the user and their access. VaultOne also tracks and records access sessions for forensic analysis, auditing, and identifying breaches.