Social Engineering Explained

Questions and Answers

Which of the following strategies is LEAST likely to be effective in preventing social engineering attacks within an organization?

• Conducting regular security awareness training that includes simulations of social engineering attempts.
• Restricting employees from using social media platforms on company-owned devices. (correct)
• Implementing mandatory vacations for employees in sensitive positions to detect potential fraud.
• Establishing clear policies and procedures regarding access to restricted areas and data.

An employee receives an email claiming to be from the IT department, requesting immediate password verification due to a detected security breach. The email includes a link to a login page that looks identical to the company's internal portal. Upon entering their credentials, the employee's account is compromised. Which type of attack BEST describes this scenario?

• Pretexting
• Quid pro quo
• Baiting
• Phishing (correct)

A fraudster gains an employee's trust by consistently providing helpful information and appearing genuinely interested in their work. Over time, the employee unknowingly shares sensitive company data, believing they are assisting a colleague. Which social engineering principle is the fraudster PRIMARILY exploiting?

• Vanity
• Greed
• Trust (correct)
• Urgency

Which scenario BEST exemplifies the social engineering tactic of 'pretexting'?

Claiming to be a system administrator to trick a help desk employee into divulging a user's password. (D)

Which security measure would be MOST effective in mitigating the risk of 'Shoulder Surfing' in a public workspace?

Enforcing a 'clean desk' policy and prohibiting sensitive documents in plain sight. (B)

A company discovers that an attacker has compromised its DNS server, redirecting users to a fake website that steals their login credentials. Which type of attack is this?

Pharming (B)

What is the MOST effective countermeasure against Evil Twin attacks?

Validating the digital certificate of the wireless access point. (D)

An attacker inserts a sleeve into an ATM, preventing cards from being ejected. When a user struggles, the attacker offers assistance, observes the PIN, and retrieves the card after the user gives up. This is an example of:

Lebanese looping. (B)

Which of the following scenarios BEST illustrates 'carding'?

Making a small purchase with a stolen credit card to verify its validity, then selling the card information online. (B)

Which of the following actions would be MOST effective in preventing identity theft resulting from 'dumpster diving'?

Shredding all documents containing personal or confidential information before disposal. (B)

A company employee receives a phone call from someone claiming to be from the company's bank. The caller states that there is suspicious activity on the employee's payroll account and requests verification of their Social Security number and bank account details. This is an example of:

Vishing (C)

What is the PRIMARY goal of 'posing' in the context of information security?

To create a seemingly legitimate business to collect personal information without delivering products or services. (C)

What is the MOST effective way to defend against typosquatting?

Educate users to carefully check URLs before entering sensitive information. (D)

Why is 'spear phishing' generally more successful than traditional phishing attacks?

Spear phishing attacks are highly targeted and personalized, increasing their credibility. (C)

Which of the following is the MOST important factor in determining the success of a social engineering attack?

The attacker's understanding of human psychology and the victim's vulnerabilities. (C)

Why is it crucial for organizations to simulate social engineering attacks as part of their security awareness training?

To educate employees on how to recognize and respond to real-world social engineering attempts. (A)

What is a key difference between phishing and vishing attacks?

Phishing attacks use electronic messages, while vishing attacks use phone calls. (C)

A fraudster sends an email to a company's accounting department posing as a vendor requesting an immediate wire transfer to a new bank account due to an 'urgent audit.' What two social engineering principles are being exploited?

Urgency and Trust (A)

Which of the following is the MOST significant cybersecurity risk associated with social media platforms?

The increased risk of social engineering attacks due to the disclosure of personal information. (D)

A company discovers that an attacker has been surreptitiously installing skimming devices on its point-of-sale (POS) systems. Which control would be MOST effective in preventing future skimming attacks?

Conducting regular physical inspections of POS systems for unauthorized devices. (B)

Flashcards

Social engineering

Techniques to manipulate people into complying with wishes to gain access or data.

Identity theft

Illegally obtaining confidential data for economic gain.

Posing

Creating a fake business to gather personal information without delivering the product.

Phishing

Sending fake electronic messages, pretending to be a legitimate company, requesting private information.

Vishing

Phishing via phone where the victim enters confidential data.

Carding

Activities performed on stolen credit cards, such as checking validity or selling card info.

Pharming

Redirecting website traffic to a fake website.

Evil twin

A wireless network with the same name as a legitimate one.

Typosquatting

Setting up websites with similar names to real ones.

Scavenging/Dumpster diving

Searching for confidential information in discarded items.

Shoulder surfing

Looking over someone's shoulder to steal information.

Lebanese looping

Inserting a sleeve into an ATM that traps the card.

Skimming

Double-swiping a card to record credit card data.

Chipping

Planting a small chip in a credit card reader to record data.

Eavesdropping

Listening to private communications.

Exploiting Compassion

Taking advantage of compassion to get people to reveal information.

Exploiting Greed

Taking advantage of greed to get people to reveal information.

Exploiting Vanity

Taking advantage of vanity to get people to reveal information.

Exploiting Sloth

Taking advantage of sloth to get people to reveal information.

Exploiting Urgency

Taking advantage of urgency to get people to reveal information.

Study Notes

Social Engineering

• Social engineering uses techniques or psychological tricks to manipulate people into complying with a perpetrator's wishes
• It is employed to gain physical or logical access to buildings, computers, servers, or networks
• The goal is often to obtain confidential data.
• Perpetrators often use conversation to trick, lie, or deceive a victim.
• Having inside information, knowledge, authority, or confidence can help a perpetrator appear legitimate.

Exploiting Human Traits

• Fraudsters exploit seven human traits to get people to reveal information or take action:
• Compassion: appealing to the desire to help others who present themselves as needing help.
• Greed: offering something free or a once-in-a-lifetime deal
• Sex Appeal: using flirtation to gain cooperation.
• Sloth: taking advantage of laziness to get people to avoid hard tasks
• Trust: building trust to increase cooperation.
• Urgency: creating a sense of immediate need to encourage accommodation
• Vanity: appealing to the desire to be popular or successful.

Minimizing Social Engineering

• Policies and training can minimize social engineering:
• Never allow people to follow you into restricted areas.
• Never log in for someone else on a computer, especially with administrative access.
• Never share sensitive information via phone or email.
• Never share passwords or user IDs.
• Be cautious of unknown individuals seeking access.

Identity Theft

• Identity theft involves assuming someone else's identity, typically for economic gain
• This is achieved through illegally obtaining and using confidential information
• Examples of confidential information include Social Security numbers, bank accounts, or credit card numbers
• Over 12 million individuals were victims of identity theft in a recent year, with over $21 billion stolen
• A new identity fraud occurs once every three seconds.
• One in four consumers who get a data breach notice from a company become an identity theft victim.
• Identity thieves may empty bank accounts, apply for credit cards, run up large debts, and take out mortgages/loans
• They conceal their activities by controlling where bills are sent.

Facebook Fraud

• Social networks like Facebook are a growing area for fraud because:
• People are more likely to share personal information with "friends."
• Users often do not protect their information adequately.
• Many people use the same password across multiple sites.
• Facebook fraudsters use phishing tactics disguised as games or widgets

Gathering Personal Information

• These tactics involve challenges where users are asked to disclose personal details, like birthplace or mother's maiden name
• The information gathered is often used to verify identity by financial institutions.
• Another fraud approach involves sending messages with links to fake videos
• The link directs victims to update their video player, installing malware which captures data and login details.
• The "we are stuck" email used to perpetuate identity theft migrated to instant messaging on Facebook.

Pretexting

• Pretexting is inventing a scenario to make a victim more likely to reveal information.
• The scenario creates an illusion of legitimacy, making impersonation easier.
• Pretexters might pretend to conduct security surveys before asking for confidential information
• They call users pretending to be help desk personnel or claiming to test the system.
• Pretexters might use voice-changing or spoofing devices to disguise their identity.

Posing

• Posing involves creating a legitimate business to collect personal information without delivering the product or service.
• This includes creating fake Internet job listings

Phishing

• Phishing is sending an electronic message, pretending to be a legitimate company
• Typically, a financial institution is used to trick people into revealing information or verifying data
• A negative consequence is often threatened if the recipient does not comply.
• The information is used to commit identity theft or steal funds
• Victims asked to respond or visit a fake website that looks like the real one

Spear Phishing

• Phishers are becoming more sophisticated, using targeted versions of phishing called spear phishing
• Spear phishing targets known customers of a specific company to increase the likelihood of opening the email.
• Spear phishing messages often mimic authentic emails and avoid earlier mistakes like typos

Additional Phishing Tactics

• Phishers use ads that link to malicious sites, fake work files, job postings, fake LinkedIn requests, auctions, or IRS requests.
• Some phishing emails secretly install spyware to record user activity on financial websites
• The IRS has a website and email ([email protected]) to report IRS-related phishing emails

Real-World examples

• International hackers stole $1 billion from over 100 banks in 30 countries by using phishing
• This allows access to bank systems and the covert gathering of information using malware
• They stole funds by transferring money to fake accounts and using ATM withdrawals and online transfers
• Limiting the amounts stolen in order to avoid detection

Vishing

• Vishing (voice phishing) involves the victim entering confidential data by phone.
• Perpetrators might use caller ID spoofing to trick the victim into thinking they are calling their bank.
• Avoid being phished/ vished by being skeptical of messages suggesting illegal activity and ignoring requests for confidential information
• Do not call numbers provided in unsolicited messages.

Carding

• Carding refers to activities performed on stolen credit cards, such as online validation tests and buying/selling card numbers.

Pharming

• Pharming involves redirecting website traffic to a spoofed website by Poisoning DNS servers
• Each website has a unique IP address that Pharmers change
• Compromised DNS servers are referred to as Poisoned

Pharming Techniques

• It is difficult to detect because the user's browser displays the correct website.
• One pharming attack targeted 65 financial firms and used two e-mail lures with links to malicious websites:
• One containing fake news about the Australian Prime Minister
• The other containing news about a cricket match in Australia.

Evil Twin

• An evil twin is a wireless network with the same name (SSID) as a legitimate access point.
• The stronger hacker connects the user to the twin and monitors the traffic to obtain confidential information.
• It can be used to spread malware and attack computers.

Typosquatting/URL Hijacking

• Typosquatting involves setting up websites with similar names in order to direct users to an invalid site when they make typographical errors For example, typing "goggle.com" instead of "google.com
• Tricks user into thinking they are at real site
• May distributing malware, such as viruses, spyware, and adware

Preventing Typosquatting

• To stop typosquatting, companies send a cease-and-desist letter to the offender
• Purchase the website address, or file a lawsuit
• To prevent typosquatting, a company (1) tries to obtain all the web names similar to theirs to redirect people to the correct site, or (2) uses software to scan the Internet and find domains that appear to be typosquatting.

Scavenging/Dumpster Diving

• Scavenging/dumpster diving involves searching through documents and records to gain access to confidential information.

Shoulder Surfing

• Shoulder surfing involves perpetrators looking over victim's shoulders in a public place for ATM PIN numbers or user IDs
• Fraudsters also use sophisticated skimming devices placed right over a card-reader slot to capture data stored on a card's magnetic strip.

Other Fraud Techniques

• Other fraudsters surf from a distance using binoculars or cameras.
• Should be foiled by blocking the surfer's view of the input device.

Lebanese Looping

• In Lebanese looping, the perpetrator inserts a sleeve into an ATM that prevents the ATM from ejecting the card.
• Tricking the person giving pin again and using the card

Skimming

• Skimming is double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use.
• Annual skimming losses exceed $1 billion

Chipping

• Chipping is planting a small chip that records transaction data in a legitimate credit card reader
• The chip is later removed or electronically accessed to retrieve the data recorded on it.

Eavesdropping

• Eavesdropping is listening to private communications or tapping into data transmissions.