by Anthony O’Mara, Vice President EMEA, Malwarebytes
Social engineering is a tool of psychological manipulation that’s been used since the dawn of man to influence people into taking action that might not be in their best interest. Social engineering taps into the human psyche by exploiting powerful emotions such as fear, urgency, curiosity, sympathy, or the strongest feeling of them all: the desire for free stuff.
So it’s no surprise that cybercriminals have caught on.
In fact, psychological cyberattacks are on the rise. One such popular blended attack is the tech support scam. An alert pop-up will appear on the screen that tells the user that they are infected and need to download an antivirus application. The user, fearful of infection, will download the fake application that is instead a vehicle for delivering malware.
So what are the most prevalent forms of social engineering today? Here are five social engineering schemes that you should be making your users aware of.
“Huge snake eats man alive!” Have I got your attention? What if I posted a link to a video of the ordeal? You just might be tempted to click, especially because many legitimate articles and other pieces of content use similarly eye-catching headlines to get people to look at their stuff. Cybercriminals get this, and they exploit it.
Watering hole attacks
One of the things cybercriminals do best is collect information about their targets. Browsing habits tell a lot about a person, which is why that ad for cat sweaters keeps popping up in your Facebook feed. Cybercriminals use this information the go after the sites most visited by their target group. Once they discover a particular website is popular with their targets, they infect the site itself with malware. For example, hackers knew the iPhone Dev SDK forum was visited frequently by Facebook, Apple, and other developers. They compromised the website, set up an exploit, and ended up infecting a lot of people.
Social networking attacks
Social networking attacks can be particularly dangerous because criminals mess with your mind in two ways. First, they make digs at your personal information. Second, they make their messages appear to come from a friend. “Cybercriminals know that one of the biggest vulnerabilities people have is their self-image,” says Adam Kujawa, Head of Intelligence at Malwarebytes. When someone you know appears to be making negative comments about you, you’re likely to open up that message. And that’s how you get infected.
Ransomware is nasty business. It’s also social engineering at its finest/worst. Ransomware holds your files or your system hostage. In order to return access, cybercriminals demand payment. As if that weren’t hair-raising enough, some forms of ransomware are wrapped in law enforcement scams. Cybercriminals make it appear as though the U.S. Department of Justice or FBI Cybercrime division are contacting you to accuse you of illegal activity.
Even worse, some criminals will stoop to the level of claiming they found child pornography on your computer—and then display a piece of child pornography. So, they say, pay up and we’ll make it go away. Users, naturally, tend to panic when faced with a message about child pornography that seems to come from law enforcement.
Phishing is a form of social engineering that relies on fooling people into handing over money or data through email. In recent years, cybercriminals have upped their phishing game with more sophistication. Spear phishing emails are crafted in order to make someone believe they’re from a legitimate source. The messages might appear to come from banks or businesses, and could include full names, usernames, and other personal info. Cybercriminals know that if you get an email that looks like it’s from your medical provider and it’s talking about a surgery you had last year, you are more likely to believe it.