If you did, we may have successfully socially engineered you by putting flash frames in the video. We fed you information we wanted you to use. If you clicked on 25 or 35 (which are all false by the way) you may have been pressured by the countdown. If you didn’t click on a number and clicked the grey box, congratulations you weren’t pressured by the clock.
Social engineering is an attack vector that criminals use, and one of the biggest threats we face today. ‘Hacked’ data would not be the problem that it is right now without social engineering. This is because social engineering is the way in which criminals are able to monetise the data that has been stolen during a ‘hack’. Without social engineering the data is worthless.
Tony Sales, The Social Engineering Expert
How do criminals use social engineering?
From ransomware to phone spoofing criminals use information gained from ‘hacked’ databases to manipulate victims into making decisions that benefit the criminal.
A common social engineering attack vector is for criminals to take a little information about their potential victim, such as their name, address, phone number, and date of birth, to then use this on the telephone to compel the victim to act for the criminal’s benefit.
How could social engineering be used against my business?
Criminals will often telephone businesses to gain information that they can use against you in attacks such as an invoice fraud attack, physical attack where a criminal may compel your staff to let them in, or they may even coerce your staff to work with them without them even realising.
The key point about social engineering, regardless of the method (telephone, SMS, Email) it is always reliant upon human vulnerabilities.
Do you think you can spot a social engineering attack?
The Social Engineering Expert Tony Sales, was asked by Virgin and O2 to show us all how simple it is for social engineers to steal our personal information.
Would you fall for the MACS?
Phishing is one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.
Spear phishing is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.
Baiting is when an attacker creates a false promise to attract a victim’s greed or curiosity. They then lure users into a trap that steals their personal information or inflicts their systems with malware.
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself.
Pretexting is when an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.