×

Irish Information Security Forum

Social Engineering & Cybersecurity

What is social engineering?

As technological defences become more robust, cyber criminals are increasingly using social engineering techniques to exploit the weakest link in the security chain: people. Social engineers use a variety of means – both online and offline – to con unsuspecting users into compromising their security, transferring money or giving away sensitive information.

According to Proofpoint's 2019 report The Human Factor, 99% of cyber attacks use social engineering techniques to trick users into installing malware.

 

Phishing

The most common form of social engineering attack is phishing.Phishing attacks exploit human error to harvest credentials or spread malware, usually via infected email attachments or links to malicious websites. Types of social engineering attacks include:

 

Angler phishing

Phishing attacks carried out via spoof customer service accounts on social media.

 

BEC (business email compromise)

Emails purporting to be from senior members of staff.

 

Pharming

Redirecting web traffic from legitimate sites to malicious clones.

 

Spear phishing

Phishing attacks targeting specific organisations or individuals.

 

Tabnabbing/reverse tabnabbing

Rewriting unattended browser tabs with malicious content.

 

Whaling/CEO fraud

Targeted phishing attacks aimed at high-profile individuals, such as board members.

 

You can learn more about these and other phishing attacks on our phishing information page.

 

Other social engineering tactics include:

 

Baiting

Enticing victims into inadvertently compromising their security, for example, by offering free giveaways or distributing infected devices.

 

Diversion theft

Offline diversion thefts involve intercepting deliveries by persuading couriers to go to the wrong location. Online, they involve stealing confidential information by convincing victims to send it to the wrong recipient.

 

Honey trap

Attackers pretend to be romantically or sexually interested in the victim to persuade them to yield sensitive information or money.

 

Smishing/SMS phishing

Text messages that purport to be from legitimate entities are often used with other techniques to bypass 2FA (two-factor authentication). They might also direct victims to malicious websites on their phones.

 

Pretexting

An early stage of more complex social engineering attacks in which the con artist gains a victim’s trust, typically by creating a backstory that makes them sound trustworthy.

 

Quid pro quo

Quid pro quo attacks rely on people’s sense of reciprocity, with attackers offering something in exchange for information.

 

Scareware

A form of malicious software – usually in the form of a pop-up that warns that your security software is out of date or that malicious content has been detected on your machine – that fools victims into visiting malicious websites or buying worthless products.

 

Tailgating

A physical security attack that involves an attacker following someone into a secure or restricted area, for instance, while claiming to have mislaid their pass.

 

Vishing/voice phishing

A form of targeted social engineering attack that uses the phone. Types of vishing attacks include recorded messages telling recipients their bank accounts have been compromised. Victims are then prompted to enter their details via their phone’s keypad, giving them access to their accounts.

 

Water-holing/watering hole

Watering hole attacks work by infecting websites that a target group is known to frequent. For instance, 2017’s NotPetya infection – believed to be a politically motivated attack against Ukraine – infected a Ukrainian government website and then spread through the country’s infrastructure.

 

419/Nigerian prince/advance fee scams

These cons involve scammers asking victims to supply their bank details or a fee to help them transfer money out of their country. They originated in Nigeria, and the number 419 refers to the section of Nigeria’s Criminal Code that bans the practice.

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


FORUM SPONSORS

We would like to thank these generous sponsors for their support. 

crowdstrike logo

zscaler logo

 

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter