Social engineering is all about exploiting people’s weaknesses in human nature and behaviors. If a social engineering attack is successful, sensitive data is exposed or the attacker gains entry to a restricted area.
Only user education and awareness training can stop social engineering attacks
Phishing
Phishing is a sort of social engineering. It is used to steal sensitive information.
Clicking links in emails, IMs, and social network communications can lead to phishing.
To “phish” is to engage in an attempt to steal sensitive information via electronic communication.
Example : PIN, Draw Pattern ( lock and Unlock), usernames, passwords, Debit or Credit card numbers, bank account information, UPI PIN, or etc.,
Smishing
Phishing through text messages, often known as smishing, is a form of social engineering that takes place over or through conventional text message networks. platforms or applications for sending and receiving text messages
Malicious text message sent over a normal text messaging service.
Vishing
Phishing that is conducted through the use of any telephone or voice communication system is referred to as vishing. This encompasses both conventional landlines and newer technologies such as Voice over Internet Protocol (VoIP) services and mobile phones.
Phishing via telephone or other voice communication systems is known as “vishing.”
Spam
Spam refers to unsolicited electronic mail. Spam causes issues, and transmits Trojans, viruses, etc, Spending time searching through unnecessary emails is a waste of time, but it also puts you at risk of phishing attacks, which use tactics to acquire critical information.
Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain Message Authentication Reporting and Conformance (DMARC)
Best spam filter to safeguard data
AHh: Instant messaging (IM), short message service (SMS), and social messenger applications do not include a spam filter to protect you against phishing attacks.
Spam isn’t simply annoying commercials; it can potentially include malware and be used as an easy target.
Spam over Instant Messaging (SPIM)
inappropriate communications over any messaging system
SPIM refers to unsolicited messages sent through any Internet-enabled or -facilitated instant messaging service.
Spear phishing
These attacks are designed to give the impression that they came from a company’s chief executive officer (CEO) or another high-level office in the company.
The term “business email compromise” is commonly used to refer to this type of spear phishing (BEC).
BEC is frequently focused on persuading members of accounting or finance departments to transfer funds, pay invoices, or purchase products based on a message that looks to originate from a boss, manager, or executive. As a result, business email compromise (BEC) is a sort of spear phishing that targets personnel working for the same company.
BEC is also sometimes referred to as “CEO fraud” or “CEO spoofing.“
Spear phishing targets an individual or group with a customized message.
Dumpster Diving
The practice of searching through trash or discarded equipment ( Hard Disk )
Burning, shredding, or chipping storage media is a common method of disposal used in secure data destruction.
By sifting through garbage, one can learn a lot about a potential victim.
Baiting
The enemy will “bait” the chosen victim by leaving something behind for them to find and take advantage of. This might be a wallet, a phone, a wallet, a USB drive, or even an optical disc if you are charging your device in a public place.
Shoulder surfing
When a user’s screen is visible from behind them, this is known as “shoulder surfing.” Locked doors and segregating employees into groups based on their level of sensitivity are two methods of preventing shoulder surfing. The public is not the appropriate place to work on confidential information. Screen filters are another line of defense against shoulder surfing, as they limit the viewing angle such that the material is only viewable if the viewer is squarely in front of the screen.
When someone can see what you’re seeing on your screen or see what you’re typing, they’re “shoulder surfing.”
Pharming
The term “pharming” refers to the fraudulent practice of diverting traffic from a legitimate website’s URL or IP address to another, malicious website that masquerades as the legitimate one.
This is a common tactic used in malicious Domain Name System (DNS) attacks, phishing scams, and on-path attacks.
Pharming is the fraudulent use of a legitimate website’s address (either its URL or IP) to trick users into visiting a malicious version page .
Tailgating
When an illegal person or entity sneaks into a building using the credentials of a legitimate employee but without the employee’s knowledge.
An employee’s responsibility is to always double-check that a door is secured and closed before leaving the area. It is important for corporate policy to emphasize educating users on the importance of security in their daily activities, but it is important to remember that altering people’s habits can be challenging. Therefore, it is necessary to employ alternative methods of enforcing tailgating restrictions. Access control vestibules, surveillance cameras, and armed guards are all options.
Piggybacking is when an illegal entity gains access to a facility with a valid employee’s consent.
when an illegal entity gains access to a facility under the authorization of a valid employee by fooling the victim into participating.
Eliciting Information
The process of eliciting information, also known as gathering or collecting information from various persons or systems, is known as “eliciting information.” Within the framework of social engineering, it is a study strategy that is utilized to build a more convincing pretext.
Classifying information, regulating the transportation of sensitive data, checking for attempted abuses, and teaching employees to be aware of information elicitation and report suspicious activities are all important.
Obtaining information on a regular basis from many systems or individuals
Whaling
Whaling is a sophisticated kind of spear phishing used to target high-value victims like the company’s top leadership, administrative staff, or wealthy customers. One common objective of a whaling assault is to get access to a high-level target’s credentials so that the attacker may then use those credentials to commit fraud, take off money, or divert funds.
BEC (business email compromise) is opposite of whaling. In a whaling attack, the attacker sends harmful emails to a CEO that appear to originate from an employee or a trusted outsider.
In BEC (business email compromise), an attacker sends fraudulent emails to workers that appear to be from the CEO.
phishing that targets CEOs, C-level executives, Business administrators, and high-net worth individual or business person
Prepending
Prepending adds a word to a header. An attacker may start an attack email using RE: or FW: to fool the receiver
Prepending assaults are another method that may be used to trick filters. It is possible to achieve this goal by including a prefix such as SAFE, FILTERED, AUTHORIZED, VERIFIED, or CONFIRMED in the title of the document
Include the terms “INTERNAL,” “EXTERNAL,” and “PRIVATE.”
incorporating a word or phrase into the document or heading of another message.
Identity Theft
Taking another person’s identity is known as identity theft. This might be the very first step in obtaining information. The term “account takeover” can also be used to describe the process through which a victim’s stolen credentials are put to use.
Identity theft damages victims’ credit, wealth, and reputation in numerous ways.
Identity fraud
To take someone else’s identity is to commit identity theft. An attacker using a victim’s credentials is termed credential hijacking.
Identity fraud and theft can be categorized as spoofing. The term “spoofing” refers to any method used to conceal a true identity, most commonly by posing as another entity.
Spoofing is a frequent strategy employed by hackers against technology.
Invoice scams
Invoice scams take money from organizations or people by presenting fraudulent invoices and offering strong offers to pay.
The victim may be warned about outstanding payments, criticized for not paying, threatened with reporting to credit bureaus if payment is not made immediately, etc. as a pretext for obtaining money.
Credential harvesting
A credential harvester is someone who systematically steals other people’s login information. The security community and the general public frequently gain access to credential databases through leaks or other means.
Means the act of stealing credentials in order to access a system.
Reconnaissance
In tactical terminology, “reconnaissance” refers to the process of gathering intelligence on a potential adversary, most commonly for the goal of formulating an offensive strategy.
the process of learning as much as possible about an opponent before deciding how best to attack them.
Hoax
It’s aimed to induce targets to take harmful or insecure actions. Victims may be told to remove files, modify settings, or install fake security software because, In many hoaxes, the victim is warned that failure to respond would result in dire consequences.
Impersonation
Impersonation refers to the act of assuming the identity of another person in order to benefit from their position, access, or power. An impersonation is a form of deception that goes by many names, including masking, spoofing, and identity fraud.
taking someone else’s identity with the intent of manipulating their position of power.
Watering hole attack
An assault on a watering hole is a kind of targeted attack against a place, group, or organization specifically. The attacker observes the target’s behaviors in order to identify a pattern that may be exploited by one or more members of the target in order to install malware that will allow the infection to spread back into the group or at least onto their machine.
Targeted attack against a region, a group, or an organization.
Typosquatting
Typosquatting is a strategy that takes advantage of instances in which a user mistakes the domain name or IP address of a targeted resource. The goal of this strategy is to gain control of the resource in question.
During the time when the user is attempting to gain access to the resource, this can take place. Squatters make an effort to identify potential mistakes in URLs and then register the resulting domain names in an effort to direct traffic to their own websites as a result of these registrations to gain sensitive information while attempting to log in with their credentials
capturing and redirecting traffic when a user mistypes a resource’s domain name ( website URL) or IP address
URL hijacking
When a user clicks on an advertising or link that appears as it leads to a popular website or service, but really takes them somewhere else (this is known as “URL hijacking”), they are tricked into giving the attacker access to their personal information. Sites and pages can be posted and optimized for search engines (SEO), or adware can be used to replace safe advertisements and links with ones that lead to harmful websites.
clickjacking
The term “clickjacking” refers to a form of online attack in which a user’s click or selection is hijacked and sent to a different, typically harmful, place on the website.
The original website remains visible, and all interaction with the mouse will be intercepted by the floating frame and sent to the malicious URL.
Session hijacking
TCP/IP hijacking, also known as session hijacking, is a type of attack in which the attacker takes control of a communication session that is already in progress. While some methods of hijacking allow the offender to maintain a parallel connection to the targeted system or service, others are designed to cut the victim off completely.
Pretexting
The pretext is a misleading statement made to seem believable to convince you to act or respond. It’s the realistic tale you’re told to behave or respond in the attacker’s favor.
A pretext is a lie that sounds real and is meant to get you to act or respond.
Influence campaigns
As part of an influence campaign, an influencer may utilize false or fake news, misleading, incomplete, manufactured, or manipulated material to sway the opinions of readers and viewers in favor of the influencer’s ideas and values.
Doxing is collecting information on a person or organization to change opinions.
Only user education and awareness training can prevent social engineering attacks.
