A Brief History: Social Engineering

ATTENTION! Your PayPal account will close soon!

Dear member

You have faced some issues with your account Please update your account.

If you do not update will be closed.

To update account just confirm informations. (it only takes a minute!).

It’s easy: click on link below and confirm detail

Relogin your account

—————————————

—————————————

Although a crude example, the above is a typical Phishing email; one of the most popular kinds of social engineering attacks.

The inception of social engineering in cybersecurity dates back to the 1970s and 1980s, around about the time when hacking first emerged.

As hackers started infiltrating computer systems without authorisation, they discovered that leveraging human vulnerabilities could be as potent as exploiting technical weaknesses.

And, as time goes on, the calibre of social engineering attacks has evolved in sophistication — attackers have gotten more and more cunning.

In addition to deceptive websites and emails looking legitimate and tricking individuals into divulging information for potential identity theft, social engineering has emerged as a prevalent method for attackers to deceive and exploit individuals, as well to bypass an organisation’s initial defences, leading to disruption and harm.

Wait, but what exactly is Social Engineering?

In simple terms, social engineering tricks people into doing things they wouldn’t normally do: such as sharing passwords, clicking on malicious links, or providing access to secure areas.

Attackers often use various tactics, such as impersonation, building trust, and exploiting human psychology, to achieve their goals.

Why is it so dangerous?

Social Engineering is a particularly dangerous cybercrime because an attack doesn’t have to work against everyone: A single successfully fooled victim can provide enough information to trigger an attack that can affect an entire organisation.

Examples of social engineering tactics include:

Phishing: Perhaps the most well-known form of social engineering, phishing involves sending fraudulent emails that appear to be from reputable sources. The goal is to trick recipients into providing sensitive data like login credentials or credit card numbers. Phishing emails often create a sense of urgency, prompting the victim to act quickly without fully scrutinising the email’s legitimacy.

Spear Phishing: A more targeted version of phishing, spear phishing involves sending personalised messages to specific individuals. The attacker often conducts background research on the victim (like using information from social media) to make the communication seem as legitimate and convincing as possible. This personalisation can make spear phishing attacks much harder to detect than general phishing attempts.

Pretexting: In this scenario, an attacker fabricates a situation or scenario to steal a victim’s personal information. The attacker usually poses as a co-worker, police officer, bank official, or any other figure who might legitimately request the information being sought. The pretext is designed to build trust and extract sensitive information under seemingly normal circumstances.

Baiting: As the name suggests, baiting involves offering something enticing to the victim in exchange for their login information or private data. This could be in the form of a free music or movie download that leads the victim to a malicious website, or a USB drive labelled “Confidential” left in a public place, which contains malware.

Tailgating or Piggybacking: This physical security breach occurs when an unauthorised person follows an authorised person into a restricted area. The attacker might strike up a conversation with the target or simply walk closely behind them, exploiting social norms and courtesy to gain access.

Quid Pro Quo: Similar to baiting, quid pro quo attacks promise a benefit in exchange for information. This type of attack is common in corporate environments; for example, the attacker might impersonate an IT technician and offer free IT assistance or upgrades in exchange for login credentials from unsuspecting employees.

Attackers often don’t care whether they target children, individuals at home, small businesses or international corporations, so ensuring you have the best in cybersecurity in place is imperative.

No one is safe

Google and Facebook lose $100 million to scammers

No matter the size of the organisation, anyone can be targeted by these kinds of social engineering scams. Two of the world’s biggest companies Google and Facebook lost $100 Million in a Phishing scam between 2013 and 2015.

And it was all perpetrated by one man, Evaldas Rimasauskas. With the help of his team, they set up a fake company pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.

The fraudsters proceeded to dispatch phishing emails to targeted employees at Google and Facebook, billing them for legitimate goods and services supplied by the manufacturer.

However, the emails cunningly guided the recipients to transfer funds into deceptive accounts and Rimasauskas and his accomplices defrauded the two technology giants of more than $100 million.

The grave consequences of non-compliance for businesses

Google and Facebook definitely suffered the consequences of their data breach but did you know that businesses who do not sufficiently protect consumers’ sensitive information are at risk of hefty fines and/or jail time from their government as well?

The consequences of a breach that may or may not be related to social engineering are not only financial and penal, but the reputation of businesses is also at risk, this has a knock-on effect for markets and the confidence of stakeholders, investors and consumers.

So how do you protect yourself?

While phishing attacks continue to evolve, being informed and vigilant is your best form of defence.

At Cybawareness we assist in raising awareness, and simultaneously help you fill any knowledge gaps that are crucial to navigating the digital landscape in a manner which limits the likelihood of you falling victim.

Do the smart thing and be proactive in guarding your digital identity — it’s an invaluable asset in today’s digital age.

Stay safe!