1. Social Engineering
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information, such as financial- and personal details.
While some attackers will simply ask their target directly for money, others will be more subtle about what they want. They can trick the target into parting with personal- or business details that they can use to:
get access to your finances
teal your identity
buy goods or services
access your business networks or systems.
Types of Social Engineering
Phishing: Phishing is the leading form of social engineering attacks that are typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real system and organisation. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data. A phishing message might look like it comes from a bank, the government or a major corporation. The call to actions varies. Some ask the end-user to “verify” their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the end-user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and wiring instructions) after a natural disaster or tragedy.
One of the more widely publicised examples of this recently was where scammers and attackers were using the tragic events of March 2019 in Christchurch as an opportunity to perform targeted online cyber attacks against New Zealanders:
Phishing emails containing links to fake online banking logins. These emails also contain fraudulent bank accounts where victims can make donations for the Christchurch tragedy
Sharing malicious video files on compromised websites or on social media. A video file containing footage related to the attack had malware embedded in it and this malicious file was being shared online.
Attackers changing New Zealand websites to spread political messages about the Christchurch tragedy.
Quid Pro Quo: Quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end-user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker, posed as a researcher, asks for access to the company’s network as part of an experiment in exchange for $100. If an offer sounds too good to be true, it probably is quid pro quo.
Pretexting: Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end-user by impersonating a co-worker or a figure of authority well known to an end-user in order to gain access to login information. An example of this type of scam is an email to an employee from what appears to be the head of IT Support or a chat message from an investigator who claims to be performing a corporate audit.
2. Identity Theft
When someone’s able to find enough personal information about you online, they can use it to pretend to be you. Even basic information like your name, date of birth, and address can be enough for someone to impersonate you.
In most cases, identity theft is committed for financial gain. But, it can also be to get legal documents, like a driver licence or even a passport. Common reasons for identity theft include:
opening bank accounts
getting a credit card
getting loans or benefits
taking over your social media accounts, like your Facebook or Instagram account
ordering goods and services
getting a mobile phone contract
getting a government-issued document, like a passport or driver licence.
If someone steals your identity, you may not realise it’s happened until:
you see that someone else has logged into, and is using your social media accounts
you get bills or invoices for things you didn’t order
you see charges on your bank statements or credit card for things you didn’t buy
you get turned down for a loan because your credit rating shows that you haven’t been paying your bills
a debt collector contacts you.
3. Insider Threat
An insider threat can be someone who:
knows how the business infrastructure works. For example, they may know how your networks are set up, and how to access your computer system
understands the strengths and weaknesses of your infrastructure
has physical access to things like your servers
knows which of your employees have access to the kind of information they want
knows which employees are easy targets — in other words, they know which employees will give them any information they ask for without question.
It’s important to educate staff on the risk of insider threat. Attackers will often use employees to gain information and get access to your business. Your employees may not think anything of an attacker’s requests. They may provide information to an attacker thinking that it’s the right thing to do or mention sensitive details in passing that could be overheard outside the office, for example in a cafe or bar. This is known as unwitting disclosure.
Current employees who pose a threat can also gather information through overheard conversations, or by shoulder surfing — watching over another employee’s shoulder to see login details or passwords, for example. They can use ex-employees’ details to access things that they shouldn’t, like the HR or payment system.
Some of the reasons behind an insider threat attack are:
to commit fraud
to sabotage or cause harm to a business, and
4. Credential Dumps
The information comes from data breaches of businesses and organisations. This usually means that the information becomes publicly available. It also means that others can use it for personal gain, or to cause harm to a business or individual.
In January 2019 more than 770 million email addresses and passwords from more than 2000 compromised databases were uploaded and available for download from New Zealand's own Mega cloud storage site in what has been termed the breach of breaches.
When these details are published online, it’s not always obvious where the information has come from. The companies involved may not be aware that the information is online.
Malicious applications or Malware can be delivered in many forms, both digital, such as:
a music or movie download on a peer-to-peer site
attachment to an email;
or physical, such as a corporate branded flash drive labelled “Executive Salary Summary Q3 2021” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users’ system and the hacker is able to get to work.
The applications are designed to either collect and store information so that the attacker can retrieve it later or send the information to a third party device, such as a hosted server where the attacker can then access it later.