Social Engineering Knowhow 6: Everything You Need To Know About Scareware

Social Engineering Knowhow 6: Everything You Need To Know About Scareware

Money-motivated con-artists keep copious social engineering tricks in their armour to trap their victims. Alongside the popular techniques, they also actively use decade-old social engineering techniques to lure millions of victims globally. And scareware is considered one of the most compelling instances from the lot. 

Define scareware

As its name suggests, scareware primarily targets millions of end-users every year and make a massive sum of money by riding on fear and despair. 

In short, scareware is a potentially unwanted application (PUA) or rougueware which impersonates as legitimate-looking security or system utility software intending to make money from its victims’. Scareware often purports as cybersecurity solution software, antivirus, antispy, a firewall of system optimisation software.

Noteworthy features of a scareware 

Scareware often gains a foothold on the victims’ machine, via compromised or malicious web sites, spam email attachments, malvertisement, sponsored browser search result, or black hat SEO techniques. Once it manages to gain access over the victims’ system, it usually pushes pop-up alerts and mentions a plethora of system problems. 

These false alert system issues include malware, broken system files, cache errors, spyware, key logger, infected files, and claims to offer a solution to all in exchange for a hefty amount. 

Many of the scareware is capable of locking the entire system or flash pop-ups continuously until the victim pays for it. A few notorious scareware families are even capable of blocking legitimate security software from loading or blocking the operating system or AV software to update. 

Some of them could even block necessary system tools such as uninstall programs or prevent any third-party tools from getting executed. A few infamous scareware also comes with clickjacking features to ensure routing the victims’ internet traffic to malicious websites even after the victim clicks the exit (X) or cancel button.

The bad actors often design scareware to look-like authentic software pop-up by borrowing similar typefaces, colours, window design, and other things from legitimate software. They often flash pop-up when the user opens a website, switch between sites, copy files, or execute any essential operation. Once they gain victims’ trust, the scareware routes the device internet traffic to an impersonated version of any reputed cybersecurity or system utility developers site and asks for a hefty amount. 

Though scareware is primarily popular among the fake security software developers, they are often used as a social engineering technique to intrude in a system or network. 

Even though most of the scareware limits itself to snitch money once from its victims, many steal payment card information too via fake payment gateways. Sometimes scareware is also used to leverage ransomware into the victims’ system. 

Scareware families

In its early years, scareware developers primarily targeted Windows users’ for its unquestionable popularity. But for the last few years, scareware attacks are surging on other popular operating system platforms, including macOS, Android, and iOS. The ongoing Coronavirus pandemic has further helped the scareware makers to develop numerous new techniques for all the popular operating systems. 

Interestingly, many of the infamous scareware was developed decades ago but are still prevalent. Spy Sheriff for Windows crafted in 2009 and is still visible in the wild. MacKeeper and MacBooster are two commonly visible scareware for macOS users. Two notorious scareware families for Android operating system named Android defender and Android Spy are also visible.

The salient aspects of a scareware

To identify scareware as soon as it appears on the system, you should learn the common symptoms. Here go the most basic signs of scareware-

  • A pop-up suddenly appears with a critical system error message, mentioning system file, registry, or something identical and asking you to click on a button to get rid of it.
  • A pop-up claiming your antivirus/ cybersecurity software license has expired and asks you to renew it through a pop-up window. 
  • A pop-up appears with some exciting deals or discounts.
  • A pop-up starts scanning your system suddenly for malware and displays a plethora of instances that exist on your system. Such scans are usually fake animations to put psychological pressure on you to click on something.
  • A random pop-up appears on the browser window and doesn’t let you close it. 

How to get rid of scareware

Protecting your device against any oncoming scareware is comparatively easy if you can hold your patience and think twice before following any instructions. Another most relevant measure to get away from scareware is to install a reputed multi-layered internet security software such as K7 Total Security, which comes loaded with email and site filters, necessary web protection tools, firewalls, and other relevant security protection to block the attacks on its primary phase. Alongside, you should also- 

  • Turn on the automatic system and application update. You should also keep all the system-installed browsers and plugins updated. 
  • Turn on the K7 Security pop-up blocker on your system browser to stay away from any irrelevant pop-ups. 
  • Never click on the download button, or a link appeared on a pop-up window. Never click on its terminate (X) or close button, either. Always terminate the process via the above-told manual method. If you encounter a suspicious pop-up with Scareware-like symptoms in Windows or macOS, you should right-click on the currently active icon appears on taskbar and select Close (in Windows) or Quit (in macOS). Or you can press Ctrl+Alt+Delete in Windows OS or Command+Option+Esc in macOS to force quit the application. 
  • In case of any emergency, restart your system in safe mode, and don’t hesitate to call our helpline for further assistance.
Social Engineering Knowhow 5: All you need to know about Pretexting

Social Engineering Knowhow 5: All you need to know about Pretexting

Phishing attacks growing multifold every day across the globe. But the alarming statistics don’t purport that the con artists solely prefer phishing over other social engineering methods. Before executing any sophisticated targeted attack, threat actors contemplate the target and choose the most effective social engineering method for the lure. And pretexting is one among them.

In easy words, pretexting is a notorious social engineering technique where the attacker pretends to be someone trusted to the prey and extract useful information. Like other Social Engineering methods, they often impersonate others for raising confidence.

But unlike other Social Engineering methods, in pretexting, the adversary usually observes the target for a long time to understand and gather information regarding their likes, dislikes, and various psychological patterns. Once they collect the pertinent information, they exuberantly plan to earn the victim’s trust over email, live chat sessions, or phone calls.
Once they earn the victim’s trust, they easily snitch out all the relevant information, helping them lodge a cyber-attack.

Unlike phishing, a pretexting attack could include or exclude the involvement of malware. For instance, in a pretexting attack, a threat actor can masquerade as a bank authority where the victim has an account. Once they gain trust without arising any suspicion, they could ask the victim to send across relevant banking credentials or payment card information in the name of upgrading their KYC or something identical.

Pretexting users

The popularity of the pretexting technique goes beyond the cybercrime business. The methods involved in Pretexting get used by the persons representing enterprise sales, public speaking, journalism, fortune-telling, private investigation, doctor, lawyer, therapist, and countless other professionals to extract useful information. For instance, a private detective can use similar methods to find relevant details to help them solve any specific investigation.

Apart from these techniques, the art of Pretexting also practiced for executing tailgating or piggybacking operations to enter inside unauthorized premises. For tailgating operations, actors often impersonate or steal the access card or RFID key to perform the services.

Phases of Pretexting

Like other social engineering techniques, pretexting also involves multiple stages to achieve the goal. For instance, a pretexting attack should always include a sophisticated planning session based on extensive research on victims’ psychology.

To execute a sophisticated pretexting plan, the social engineer must gain expertise over the specific dialect by learning certain phrases, idioms, terms, and sometimes slangs to stay out of suspicion. For instance, while impersonating a representative from a banking authority, the con artist learns how a bank employee greets its customers or practices the dialect of colloquial idioms.
The threat actors even sometimes learn the local laws and assess the victim’s intelligence level and strategize a proper timing schedule to execute their call-to-action.
The planning phase often involves crucial points, such as identifying the problem they are pretending to solve or planning the set of questions they are supposed to answer. It also adds up more delicate psychological details such as the kind of information they could try to retrieve.

For Example

The sophisticated pretexting social engineering attacks often used in highly targeted attacks against large organizations. Verizon’s 2020 Digital Breach Investigation Report claimed that a significant percentage of social engineering attacks were executed through pretexting. The researchers claimed that the numbers had significantly shot up from the previous year and also claimed that the type of attacks could increase even more in the following years. The experts also claimed that poor security policies and a lack of cybersecurity awareness are majorly responsible for increasing pretexting attacks.

In 2018, an alleged Russian spy called Maria Butina was arrested on charges of extracting relevant information from the American citizens, infiltrating political groups, and the U.S. Justice Department. Maria was allegedly associated with the Russian Government and was working under the instruction of an authority figure of the Russian Central Bank. Later she got sentenced to 18 months in prison. The authorities used Butina’s social media pages, including Facebook, Twitter, YouTube, and LinkedIn, to justify their claim. The authorities found Butina in numerous photographs with Alexander Torshin, the deputy head of Russia’s Central Bank, sanctioned by the U.S. Treasury Department.
In another case, Anna Sorokin, a.k.a. Anna Delvey pretended as a German heiress and applied for a $22 million loan to start a private club. Delvey forged all the required documents, including bank documents, and became close to the Big Apple’s socialite hot spots. She later charged with attempted grand burglary and theft of services at Manhattan District Attorney.

In another significant case of pretexting, a California and Oregon based American organization called Perverted Justice used pretexting to execute online decoy operations against many pedophiles and sexual predators. To snitch the relevant information to prove the allegations against the suspects, the Perverted Justice used different pretexting schemes via social media.
During the political unrest in Brazil in 2013, a Brazilian Army intelligence member had developed several profiles across social media platforms, including Facebook, Instagram, and Tinder, to infiltrate the activist’s behavior. Through the series of operations, 21 agents were convicted for flirting with women in various social media, including Tinder.

Key Takeaways

Pretexting is one of the most sinister social engineering methods and used in many highly sophisticated targeted attacks. The method brazen trickeries, which often manage to deceive the target successfully. To get rid of any such attacks, you should- 

  • Never share any personal or organization data with any recent acquaintance or any unknown person. 
  • Share no personal information, including passwords via email or any social messenger. 
  • Look carefully at the domain names of any site you visit and crosscheck with the authentic site via an internet search. Remember, an impersonated website can come with a similar name but a different extension such as gizmodo.net. 
  • Verify the person’s authenticity by contracting with the respective company. Never revert to any email address, or phone numbers arrived via a suspicious email. 
  • Always install layered security software such as K7 Total security, which comes with an email scanner and an active firewall. 
  • If you get victimized in any social engineering attack, report the incident to the respective authorities immediately and change all the related passwords. 
Social Engineering Knowhow 4: The murky alleys of Pharming

Social Engineering Knowhow 4: The murky alleys of Pharming

In this blog, we would discuss the most unpredictable and infamous phishing technique called Pharming to carry forward with our Social Engineering Knowhow series. Pharming is a portmanteau of the words phishing and farming, and get identified as one of the most notorious social engineering attacks. Unlike other social engineering techniques such as Phishing, SMiShing, or Vishing, Pharming doesn’t require any human interaction to hoodwink its victims.

In a nutshell, Pharming, popularly known as drive-by Pharming, gets widely used against the home, SOHO, and SME users primarily via two methods- DNS server poisoning and malware driven Pharming. 

DNS Server Poisoning

To understand how a pharming attack gets executed via poisoning a DNS server, you should know all about a DNS server. 

DNS or Domain Name System servers are computers, services, or other resources connected to a private network. These servers are primarily responsible for directing your internet traffic to a legitimate server IP addresses of any website you have requested. 

DNS functions quite alike the contact app of your smartphone. The contact app saves a person’s number combined with their name, so whenever we need to call someone, we search for the respective persons’ name and tap on it. Once you tap on the title, the contact app would place a call to the connected number associated with it. 

Similarly, when you enter a website URL (such as www.k7computing.com) in the address bar of a web browser, the DNS system comes into play. It converts the URL into a corresponding IP address (for instance, 126.81.206.69). 

A DNS system keeps all the pre-visited URLs combined with the corresponding IP addresses and gets known as a DNS cache.

And through a DNS cache poisoning method, an attacker can swap all the legitimate IP addresses that exist on the DNS Server with malicious website IPs. 

DNS Server Poisoning- How it Works

Modern pharming attacks are also capable of exploiting common security vulnerabilities found in a home, SOHO, and SME routers to gain access to the admin console. Once compromised, the con artists modify the DNS setting of the compromised router redirecting to their DNS server. The Pharming process involves forging the DNS cache and changing the DNS server settings to ensure that whenever a victim navigates to any website. The corrupt DNS cache would redirect the traffic to a fraudulent site to do the damage. 

Money-motivated cybercriminals often use DNS poisoning pharming attacks to execute Denial of Service (DoS) attacks and steal personal, business, and banking information. DNS poisoning system also gets prevalently used to implement man-in-the-middle attacks and to install malware into the system. 

Malware driven Pharming

Unlike the DNS Server poisoning method, malware powered pharming attack lures the victim primarily via email-phishing. 

The cybercriminal often tricks the victims via a legit-looking email loaded with a malicious link or attachment. Once the victim clicks on the link or downloads the attachment, the payload reroutes the victims’ internet traffic to a malicious impersonated website. It also obtains complete control over the victim’s internet traffic. 

In malware driven pharming attacks, the malicious payload rewrites the local host files of the victims’ machine to ensure the internet traffic gets driven to fraudulent sites regardless of the website URL they type on the browsers address bar. 

Detecting a Pharming Attack

Due to the complex structure of its kill chain, pharming attacks are tough to detect and get by. Sophisticated pharming attacks often succeed to mislead the system installed firewall and continue its operation. Modern pharming attacks are also tough to identify for their clandestine nature. To stay safe from any such sophisticated cyberattacks, SOHOs, SMEs, and Enterprises should educate its employees about basic cyber hygiene principles.

The cybersecurity education and awareness program should elaborate on modern attack trends, detection measures to identify a fishy site, and things to do if they encounter anything malicious. 

Go-to Guide for the Admins

Administrators should also keep track of each connected device to the network and the vulnerabilities they introduce. Many commercial routers and embedded systems exist with commonly known unpatched vulnerabilities, thus often sets the red carpet for the con artists.

Running systems on dated and unpatched operating systems or application software could also lead your network to breaches.

You should always pay close attention to emails and never click or share any suspicious email with attachments.

Watch out for the websites you or your users’ visit. Malicious websites often intend to deliver malware payloads or browser extensions triggered to modify your DNS cache. 

Patch all the routers installed on your network. If any router manufacturer has stopped offering updates, you should either swap the router with the latest one or download a third-party firmware available for the router. 

You should also ensure that each URL you visit doesn’t have any typographical errors. Make sure the site has an HTTPS at the beginning of the URL. 

Notice the website logo, content structure, font size, and color layout to find out if anything is fishy. 

Flash your DNS cache by navigating to Start>>run or press key sequence Windows+R. Once the run dialogue box appears, type CMD and hit enter. Type ifconfig /flushdns and press enter button. You can also flash your system DNS cache via Windows PowerShell through the command Clear-DnsClientCache

Finally, ensure all your systems have a trusted endpoint security software like K7 Endpoint Security. 

Social Engineering Knowhow 3: All you need to know about Vishing and SMiShing

Social Engineering Knowhow 3: All you need to know about Vishing and SMiShing

Continuing the trail of our social engineering series, we will discuss the two most prolific and emerging phishing tactics – vishing and SMiShing in this blog. 

Through this post, we offer you an insight into the nuances of the two infamous methods and the conventional attack vectors they use alongside a set of simple-to-follow tips to protect your network.

Cyber-attacks exploiting social engineering techniques are not new. Cybercriminals practice a variety of methods to lure victims. And SMiShing and vishing are emerging as the most common and popular infection vector for quite a few years. Though the operation process of both the attack methods is quite simple, they are quite impactful in stealing our data. In reality, many of us have already experienced similar attacks at some point in our life.

What is SMiShing?

SMiShing or SMS phishing is a devious process to gain information. It gets leveraged through messages via SMS, MMS, social messenger, or instant messengers like WhatsApp. In contrast, vishing or voice phishing schemes get pitched through voice calls over a telephone or VOIP connection. 

SMiShing has grown exponentially over the past few years following the popularity of Internet-connected phones across the world. However, vishing has been there for decades, but with time, it has transformed itself into a lethal tool to hack into people’s lives.

Interestingly, both the methods bank on human emotion and involve numerous manipulation techniques to compel its victims to take urgent action.

Read More: Social Engineering And The Psychology Of Falling Prey To Cybercriminals

Real Life SMiShing Scenario

Through SMiShing or SMS phishing, cybercriminals send authentic-looking fake messages and embed a malicious URL or an email address. The content usually reads convincing and authentic to compel the user to respond to the threat actor’s intension.

For example, the latest SMS in my phone inbox via a regular number reads as, “CONGRATULATIONS! YOUR WHATS APP NO HAS WON RS 2 CRORE 75 LAKH IN THE WHATS APP GLOBAL AWARD 2020. TO CLAIM, SEND NAME:ADD:MOB NO:JOB:AGE: TO rbidelhi@rbigov.org.in.

For better understanding, I have kept the exact caps sequence and the spelling used on the message. With such alluring words, users with limited cybersecurity knowledge might feel compelled to follow through with the fraudsters’ instruction.

If you pay attention to the message in detail, you can find several discrepancies such as-

  • Why should WhatsApp spell its name wrong? It’s WhatsApp after all, not WHATS-APP.
  • Nobody sends a message in all caps.
  • An official message usually maintains proper grammar and spaces in between.
  • Why the heck would RBI (Reserve Bank of India) be interested in the unbeknownst WhatsApp Global Awards 2020?
  • If you miss these primary symptoms of a phishing message, a basic web search about RBI (Reserve Bank of India) would tell you that the RBI’s official domain name is rbi.org.in and not rbigov(.)org(.)in as mentioned in the message.

Unlike the example mentioned above, many modern smishing messages maintain authenticity through zero typos or grammar mistakes. Even so, you should carefully inspect and read through each message before following any instructions. If the message holds a shortened URL or a fishy email ID, delete it or report and block the number.

Read More: Everything You Should Know About Phishing

Social Forwards

Unfortunately, Smishing messages do not limit themselves to text messages only.

Following the popularity of social media and instant messengers, cybercriminals have become quite active in various other platforms, looking for potential victims.

Unlike SMS-based smishing methods, social media-based smishing messages tempt the recipients to forward an alluring message loaded with sarcastic, humorous, or shocking content.

The Murky Lanes of Vishing

Vishing or voice phishing is an effective and active social engineering technique. Vishing schemes often used to obtain the necessary information to infiltrate into an Enterprise network. Like SMiShing, vishing activities, too, are spreading fast across social media platforms.

For example, a few months ago, a voice call was doing the rounds in WhatsApp. The caller pretended to be an official representative from the Amitabh Bacchan hosted game show KBC (Kaun Banega Crorepati), and congratulating random WhatsApp users with winning a lottery of INR 25 Lakh. In order to transfer the prize money, the fraudster sought bank account numbers and a photograph of the bank debit card.

In 2019, a cybercriminal mimicked a CEO’s voice using an artificial intelligence software and asked its employees to transfer a fund worth roughly $ 243,000 to a fraudulent account. The artificial intelligence technique used in the attack is called Deepfake, which can impersonate anybody’s voice using a one-minute voice file of the victim.

Ways to protect yourself from smishing and vishing

  • If you come across any finance-related frauds, report the incident to Anti-fraud cell India on 8585063104.
  • Never entertain any messages or calls from unacquainted persons.
  • Read every incoming message from any banking, game show awards, or large enterprises.
  • Lookup for the URL, email ID, and phone numbers you receive using an online search before clicking on it.
  • Never call back on the fraudulent message sender. Blocking the number could prevent the person from sending similar messages or place a call from the same number.
  • Large enterprises seldom obtain information from their customers via phone calls or emails. 
  • Double-check the authenticity of the sender or caller before passing on your valuable personal or financial information.
  • SOHOs, SMEs, and Enterprises should be watchful about the new and emerging attack vectors and upgrade its defense strategy accordingly.
  • Embrace a cybersecurity awareness program for all your employees.
Social Engineering Knowhow 2: Everything you should know about Phishing

Social Engineering Knowhow 2: Everything you should know about Phishing

For the second post in our Social Engineering Knowhow blog series, we discuss phishing. Through the blog, we would help you understand what phishing is, how it hoodwinks the targets and also spot the differences between phishing, spear-phishing and whale phishing. Besides, we would also tell you the measures for detecting and avoiding any such trickeries.

Cybercriminals usually prefer various unusual off-track routes to penetrate and gain control over the networks while flying under the radar.

And most of such deceiving methods involve phishing as the primary method of intrusion.

Phishing in the cybercrime dictionary is synonymous to the real-life fishing techniques and involves an identical concept of using bait to ensnare the targets for gaining control over the targets. Popular phishing attacks mostly involve baits such as free online offers, massive discounts, awards, fraudulent anti-virus, scareware pop-ups, fake software/service installation messages, fake websites, and impersonated emails.

A phishing attack usually gets executed via an email message or even a phone call explaining a fake lottery prize, spoofed service or service message or something similar. The bait involved in these phishing messages/emails come via a shortened URL link or attachments under the guise of something relevant to tempt the victim clicking on it.

Phishing titbits

Phishing is one of the most infamous social engineering method to execute various kinds of cyberattacks. Unlike malware, phishing banks on human errors and seldom get noticed by tracking software.

While usual phishing attacks don’t specifically target any person or enterprise, spear phishing attackers observe and monitor the target’s internet behaviour for sometime to execute a more personalised attack.

There is also the concept of ‘Whale Phishing’ wherein attacks get targeted at wealthy or powerful individuals.

Phishing attacks usually eyes sensitive financial data of the victims’ such as online banking/email/social media credentials, credit card details, insurance data or retrieve Personally Identifiable Information (PII) such as Full name, Gender, Mother’s maiden name, favourite city or any such sensitive data which gets commonly used as an extra security measure in online banking and services.

The phishing scams have been there around since the 90s, and the first recorded campaign happened in 1996 when a hacker named Khan C. Smith impersonated the America Online (AOL) website to loot tens and hundreds of personal and credit card information of the victims’ via emails and social messenger.

Real-life scenarios

To get an overview of how scary phishing could be, we would explain a few notorious phishing attacks happened over the past decade.

Between the year 2013 and 2015, a Lithuanian hacker duped both Google and Facebook through a sophisticated invoice phishing scam. Both companies lost more than $100 million.

Crelan Bank, one of the largest Belgian bank, got victimised via a CEO fraud phishing. The attack was executed via a legitimate-looking email from the impersonated bank CEO. It reads, “Please process a wire transfer payment of $250,000 and code to admin expenses by COB today.” 

Following the instruction, the recipient CFO transferred the amount resulting in a $75.8 million fraud.

In 2017 con-artists developed 12 fake websites of original construction companies and swindled around $11.8 million from MacEwan University, Canada.

Link Manipulation: a notorious Phishing method

Cybercriminals use umpteen phishing techniques to execute their malice. And the most popular method for executing modern phishing schemes is link manipulation,

In link manipulation attacks, the threat actors email the victim loaded with malicious links. These dubious links usually re-directs the victims internet traffic to a malicious website instead of the mentioned one to do the damage.

However, many modern commercially available cybersecurity solutions offer email filters and phishing protection which could filter out such suspicious links. As an act of disguise, the cyber thugs embed legitimate URL links and/or contacts inside the phishing emails.

Modern phishing emails also come with many techniques such as re-directing the browser to a legitimate webpage after retrieving the credentials or use official logos with changed HTML attribute to bypass the anti-phishing filters.

How to spot a phishing attack

Detecting a phishing mail is a complicated task. Cybercriminals use many techniques to hide the commonly visible symptoms of a phishing mail. However, spotting down a phishing attack is not a strenuous effort unless you skip paying attention to detail. Here go a few common signs you should look for to spot a scam:

  • Pay close attention to the senders’ email id and the subject line. As the rule of thumb, the senders’ address should match the brand name, e.g. a person called ABC working in XYZ Computing should have an email id like ABC@XYZ.com.
  • Threatening or dramatic language is also a common trait of phishing messages. Official emails usually refrain from any such tones.
  • If you find anything suspicious about any URL, check the security certificate of that website.
  • While entering a password or credit card information, pay close attention to the entire website. If you find anything fishy about it, stop clicking or sharing it with others.
  • Never blindly download any attachment, especially if it is something you don’t need.
  • Download no email attachments from an unacquainted person. Cybercriminals nowadays send malicious Active X or Macro-enabled files as attachments for compromising anyone’s security.
  • Attackers always try to create a sense of urgency to compel the target to take action immediately. It could tempt you to take advantage of a special discount available from any e-commerce website or offers to avoid a late payment fee.
  • Make transactions only on trusted websites. Also, share credit card details only on reputed payment gateways.
  • You should be cautious about any site that asks you to enter the login credentials of your social media accounts.

Beyond the email

Besides phishing attacks, we’re now seeing emerging social engineering techniques via voice (known as ‘vishing’ or voice phishing) and text messages (‘SMShing’).

Our researchers at K7 Labs every day spots tens and a hundred such instances of newly found phishing attacks on social media, through impersonated LinkedIn InMails or messages on Facebook, WhatsApp or Telegram Messengers.

We would discuss both the Vishing and SMShing in our next blog post. Till then, stay safe.

Social Engineering Knowhow 1: The Psychology of Falling Prey to Cybercriminals

Today we are unveiling a new blog series captioned, “Social Engineering Knowhow.” 

Through the series of articles over a month, we would explain and spread awareness to help users become more educated about Social Engineering because it is a concern for SMEs, SOHO’s, enterprises and also for individuals, families, government and educational institutions.

Instance 1

In 2019, the CEO of a British energy firm received a call from his parent company’s CEO asking for an urgent transfer of €220,000. The deepfaked voice was minutely crafted to deceive the person on the other end and maintained even the exact German accent of the other CEO. Assured by the voice, the British CEO transferred the asked for amount to a Hungarian account of the Cyber Crooks.

Instance 2

Before the US Presidential elections in 2016, Hilary Clinton’s campaign chair, John Podesta received a spoofed email in his Gmail account. The legitimate-looking email from a Russian-sponsored hacker group asked the victim for a password reset. In exchange, John Podesta gave away his password, thinking it was the original Gmail login page.

Instance 3

In 2015, Patricia Reilly, an employee of Pebbles Media, received a series of emails from the Managing Director asking for a quick fund transfer. Obeying the order, Ms. Reilly transferred sums amounting to £193,250 through multiple transactions. Unfortunately, the emails Patricia received were from cyber thugs. The company recovered a portion of the money from the bank. It sued Patricia asking for the rest of the money.

Instance 4

In 2011, cyber thugs sent an email with an MS Excel spreadsheet to two employees of American computer and network security company RSA. Once opened, the macro file inside the Excel sheet installed a backdoor into the systems. The total cost of the cyber breach was measured later as a massive $66 million.

All these four real-life attack scenarios spread over a decade have one thing in common, cybercriminals used different forms of convincing social engineering tricks to dupe the victims. And most of the time, such nefariously-brilliant social engineering tricks involve multiple stages.

The various stages are: preparing the ground by accumulating information on the victim, selecting the mode of attack, engaging the target victim, expanding foothold, executing malware and covering the tracks by removing any digital footprint from the victims’ devices.

A real-life social engineering attack is complex and sophisticated, manipulating the weakest link in the chain – humans. Interestingly, all the social engineering attack methods focus on exploiting human psychology to achieve their goals.

The Deep Inside 

According to several psychologists, the threat actor banks on four key human emotions – fear, greed, desire, and curiosity, to hunt their victims. And with social engineering tricks, the adversaries trigger pure human emotion embedded with the best available technology to ensure the victims logic system turns down. 

To understand what goes on the victims’ mind, we have to dig deep inside the human brain. With each social engineering trick, the threat actors successfully manage to trigger the amygdala, an almond-shaped set of neurons sitting inside the brain’s medial temporal lobe.

The amygdala is responsible for our perception of extreme emotions such as anger, fear, greed, and many more.

When the victim encounters a finely-crafted social engineering trick, the amygdala turns on, and most of the time it draws power from other sections of the brain which are responsible for making us think rationally and renders us helpless to make decisions based on emotions.

Types of Social Engineering

Social engineering is a vast pool of trickery methods and is usually executed by involving human emotion in mind. The most popular methods of social engineering techniques used for engineering massive and small forms of cyber-attacks are Phishing, Vishing, Smishing, Spear phishing, Pharming, Baiting, Pretexting, and Scareware.

Social Engineering 101

We would discuss each type of attack with examples in the upcoming blogs. For now, here goes a handful of takeaway to keep the SOHOs and SMEs safe from any social engineering attacks.

  • In nine out of ten social engineering attacks, employees without proper cybersecurity awareness knowledge end up as the potential victims. Hence every SME or SOHO should factor in the severity and educate its employees to be wary of such attacks.
  • Embracing multi-layered security is the right approach to mitigate any such attacks. K7 Business security offers you just that. Multi-layered security comes with a bunch of nested levels as security measures which effectively detects and quarantines the infected part of a network or machines to keep the system safe. 
  •  Make sure your security software comes with a dedicated firewall and gateway security. K7 Business Security suite comes with a smart firewall and capable of detecting and hunting down the incoming threats.
  •  Phishing is the most common and popular form of social engineering method to dupe the targets. As an act of safety, securing business email accounts is another must-have to stay away from attacks. Make sure your security software offers real-time phishing protection to filter out most of such mendacious emails.
  • Impersonating popular websites is one of the most popular methods of launching social engineering attacks. As an act of protection against any such attacks, your business should also embrace a solution to detect spoofed versions of popular websites. 
  •  Encourage your employees to use multi-factor authentication whenever available.
  •  Double-check the authenticity of any finance-related phone calls, emails, and messages before taking any action.