You've heard it so many times before. Hackers can force their way into other people's data or computer systems. It is therefore important to protect yourself against hackers with firewalls, antivirus programs and other technical measures. But hackers have evolved their strategies in recent years - and it's no longer just software they find flaws in. Through social engineering, also called human hacking, hackers exploit the way people process information and influence it to their own advantage.
When people get hacked
Social engineering is targeted manipulation. It is a process or strategy in which hackers manipulate their victims into giving up confidential information or providing access to their computer system. Social engineering can take place both online and offline, but the vast majority of victims are affected by digital social engineering attacks.
Hackers typically use six key principles to influence their victims: authority, intimidation, social acceptance, scarcity, time pressure and positive evaluation. Through these principles, they can evoke certain emotions in their victims, which can impair the victims' judgement - making them more likely to carry out the hackers' desired actions.
Authority: Hackers will often present themselves as an authority, such as a well-known company or the victim's own company director. Here they take advantage of the fact that most people follow their superiors, either because they trust them or because they will not speak out against an authority.
Intimidation: Many social engineering attacks include warnings or threats of negative consequences if the victim does not follow the hacker's instructions.
Social acceptance: People follow people and tend to do things that they see or hear other people doing. Hackers can exploit this by mentioning other people, perhaps someone the victim knows, in their attacks.
Shortage: If something is perceived as scarce or only available for a short time, it will create demand. Therefore, hackers will often mention that there is only a limited quantity of a particular item.
Time pressure: By incorporating urgency, e.g. short deadlines, most people will feel that they do not have time to double check and therefore need to react immediately.
Positive evaluation: People are more likely to help someone they like - or they think they like. Therefore, hackers will often appear polite and friendly, or they may pretend to be someone the victim knows.
In addition to exploiting people's inability to think critically, hackers can also exploit other common human traits, such as curiosity or the desire to be helpful. By offering an exciting and lucrative job, hackers can make the victim so curious that he or she cannot resist clicking on the fake job ad. And by posing as a colleague who is unable to complete a task due to a family crisis, the victim's compassion and desire to help his colleague may lead him to download a fake report.
Social engineering attacks
There are different ways in which social engineering processes can take place. Social engineering attacks can be carried out virtually anywhere human interactions occur, making it extra important to understand what social engineering is and how it can be carried out.
Want to go fishing?
Phishing attacks are the most common cyber attack in the world. An example of a typical phishing attack is an email alerting the victim that their password for an application or service is expiring and that they should change it immediately through a link. When the victim clicks on the link, they are sent to a fake phishing website that looks like a legitimate company website. Here, the victim has to enter some confidential information and the new password. This information is then sent to the hackers.
Madding on the hook - it's not always good to be nosy
Baiting is a way of attracting the victim's interest and can be done both online and offline. A physical way to bait is to leave some hardware, such as a USB stick, in a public place where the hacker knows there are many people. This could be lobbies, lifts, toilets or car parks. The USB stick may have a label with a company logo and a description of the contents, such as a salary statement. Out of curiosity, the victim takes the USB stick home and inserts it into their computer, which is then infected with malware.
Vishing and smishing - phishing through the phone
Both types of attack are variations of phishing. Vishing, or "voice-phishing", is an attack through phone calls. The hackers call the victim and pretend to be from a well-known companyed who need some information. In smishing, hackers use SMS as a medium to trick information out of the victim.
Online baiting can be advertisements that tempt with interesting offers. When the victim clicks on the advertisement, they are directed to a fake website or to download some malware.
Information gathering through pretexting
Unlike the previously mentioned social engineering attacks, pretexting is not a one-off attack. Pretexting is a longer process where the hacker pretends to be an authority or an acquaintance. Through this process, the hacker establishes a relationship of trust with the victim and slowly collects personal information from the victim. The victim believes that he/she is helping the "authority" or "acquaintance" to perform an important task.
The annoying friend in the group
Mail hacking is a type of attack where hackers force their way into the victim's email or social media account and then gain access to the victim's contacts. The hackers send fake messages to the contacts, which may contain, for example, "funny videos" from their friend that link to a fake website or contain malware. It can also be a message that the friend is in trouble and needs money.
Scamming techniques that work
Through attacks called scareware, hackers can bombard the victim with fake threats, both in emails and internet browsers. A common scareware attack is through fake pop-up banners that appear in the victim's internet browser. The banner states that the victim's computer has been infected with malware or spyware. The victim must therefore download a tool that can help them. This tool consists of malware that the hackers use to access the victim's data.
Be alert and outsmart the hackers
Although hackers have become good at manipulating their victims, there are several ways you can protect yourself or your workplace.
Stretch and think. In a busy day, you may not feel like you have time to read emails closely. But it's important to always read emails and understand the content. Then you can ask yourself; Does the content make sense? Is it relevant to me? Is it right that I suddenly have to react immediately?
Check information. If you are not waiting for an email from a specific person or company, it is always a good idea to check the information contained in the email. Often they will contain names or phone numbers, which you can check by finding the company's legitimate website.
Foreign offers are not to be trusted. If you ever receive emails from foreign sources offering lottery prizes, cash prizes or money from unknown uncles, it's almost always a scam.
Use a search engine instead of links. Digital social engineering attacks usually show links for you to click. If in doubt, use a search engine to find the website the link supposedly takes you to.
Always be careful when downloading files. As a general rule, you should always be careful when downloading files. This is especially true if you do not expect to receive a file or if you do not know the sender.
Know the origin. This applies especially to physical hardware, such as USB sticks and flash drives. If you are not sure where a piece of hardware came from and what it contains, never plug it into your computer.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.