The H.A.C.K.E.R. Project

There are many types of attacks that threat actors and hackers perform in order to gain unauthorized access into a system. Some require advanced programming skills or specific software/hardware knowledge. One particular type of attack, however, does not even target a computer system itself. Known as a social engineering attack, this technique targets the person behind the keyboard.

What is a Social Engineering Attack?

As mentioned above, a social engineering attack is one that targets the human component of a computer system, instead of the technology itself. These types of attacks are surprisingly efficient, as it is much easier (and, in some cases, faster) to persuade or trick a person into doing something than it is to write malware for exploits. In fact, social engineering can be done by someone who has very little computer programming skills.

Essentially, an attacker just needs to either scare, convince, or trick a person into divulging some sort of private information, like a password or confidential knowledge, or downloading some sort of software that can be used to perform more nefarious acts. They may threaten the victim with false legal action or claim the victim has a virus on their computer, tell the victim that they only have a limited time to accept an “offer” before it expires, or even claim that they will give the victim something they want after the victim does what the attacker asks.

For example, an attacker can call someone on the phone, claiming they’re from the victim’s bank, and ask for the victim’s account information. If the victim gives up that information, then the attacker can go in and drain their bank account. Very little, if any, programming is involved in that type of scenario.

Examples of Social Engineering

There are many different types of social engineering tactics employed by attackers.

One prominent type of social engineering attack is phishing, an attack in which the threat actor sends a communication to the victim in order to trick them into divulging personally identifiable information (like bank account details, passwords, or even social security numbers). Generally, phishing is done via email. There are many subtypes of phishing, such as SMShing (pronounced smish-ing; this is when phishing is performed over a text or SMS message instead of via email), vishing (which is when phishing is performed via phone call) spear-phishing (when phishing attempts are targeted towards a specific person), or whaling (phishing attempts targeted at a high-profile individual, such as a CEO or CFO of a company).

Another social engineering attack is pig butchering, also called a crypto-romance scam. In this type of attack, the threat actor enters into a pseudo-romantic relationship with the victim and, once trust has been established, the threat actor urges the victim to buy cryptocurrency on a scam website. This scam website usually just sends the victim’s money directly to the attacker, and the victim does not get any actual cryptocurrency.

There are some social engineering attacks that do incorporate some programming, as well. Scareware is a good example of this: scareware is a type of software that serves to scare the user into thinking they have malware on their computer. The victim is urged to contact a specific phone number or email, which is when the attacker will generally convince the victim to install a software that will give the attacker the ability to use the computer remotely (i.e., the attacker can use the computer as if they were behind the keyboard, even if they are actually across the world!).

There are many other types of social engineering attacks besides these, such as the Look Who Died Scam; thus, it is important to safeguard yourself and your data.

How to Protect Yourself Against Social Engineering

You may be thinking “oh, well I’d never fall for a scam like that!” However, it happens more often than you would think, and even the most cautious person can fall victim. Here are some good tips to keep yourself safe:

• Don’t share passwords, bank account information, or anything confidential with anyone you do not know, especially over the phone, via text, or via email.
• If something sounds too good to be true (for example, a foreign prince promising you his fortune if you pay his passport fees), then it is likely a scam. Always stop and think; would someone with vast fortunes and royal status really need $500 from a random person to get a passport?
• If a pop-up appears on your computer that says you have a virus and urges you to contact a phone number or email, have a professional IT person look at the machine. Do not contact the number/email!
• If you receive a message, text, or email that appears to be a scam or phishing attempt, report it as a scam or spam (if you are able to) and delete it. Do not forward it to anyone else, and block the sender, if possible.
  • Additionally, check the grammar and spelling of suspicious emails. Usually, attackers make some spelling mistakes or grammatical errors throughout their messages.
• Don’t click on any links if you are unsure of where they go.
• If someone calls you claiming to be someone important, such as your bank, tell them you will call them back and hang up. Wait a little bit, and then call the number that you have to reach your bank (or whomever that important person is); do not redial the number that originally called you.
• Pay attention to the tone or attitude of the person. If they seem to be easily frustrated or angered or are constantly urging you to take a specific action, then they may be trying to scam you.
• Do not log in with your accounts on a website you are unfamiliar with. For example, if a strange website asks you to log in with your Google, Facebook, Apple, etc. account, don’t do it unless you know what exactly the website is.
• If the message urges you (or threatens you) to do something, then it might be a scam. For example, if the message states that your Amazon or Netflix account has been suspended and you have to log in through the provided link to unlock your account, this is a social engineering scam.
• Don’t share your personal information online.
  • In today’s world, this is often not followed, and sometimes not possible. However, try to be selective with who can see your information and what information is out there.
• Don’t go onto suspicious websites.

Of course, this list can continue onward. But most importantly, try and be vigilant when using technology. If something sound suspicious or is even just out of the ordinary, treat it with caution. It will save you plenty of headaches later.