What are scams?Scams are a form of social engineering attack technique designed to manipulate a victim into performing an arbitrary action for illicit profit. Techniques can be carried out via coercion, threat, manipulation or trickery.
Why are people prone to social engineering?
It's commonly due to human psychology - eg. desire, greed, fear or gullibility. It is only natural to exhibit these traits, after all, it is what makes us humans. It is not surprising that even highly educated professional such as doctors, accountants, IT executives, lawyers are susceptible to social engineering attacks. A lonely woman or man are easy prey for love scams, a profit minded person is easy target for investment scams. A career minded person or desperate job seeker is easy prey for job scams, tech illiterate retirees get scammed by fake tech support or law enforcement agencies into transferring monies into attacker bank accounts. While scams are usually profit driven, social engineering also serve as a means to infiltrate or circumvent enterprise security controls. Both scams and social engineering attacks can be performed physically or logically. Physical attacks involve face-to-face impersonation at the victim's premise while logical attacks can be done remotely via emails, voice calls or Phishing websites.
What other scenarios are Social Engineering design for?
It is often said that the weakest link in computer security is the user. While highly skilled hackers usually find software flaws in widely used applications, it doesn't always have to be that difficult to pull of a heist. In red teaming exercise (an end-to-end security assessment of an organization's resiliency agaisnt cyber attacks), social engineering is by far the most common attack path to gain initial access into corporate networks. For eg, red teamers impersonate HR by sending mandatory 'on-boarding' exercise emails to new employees of a Pharmaceutical company from emails scraped off LinkedIn. These emails contain dropper links to download malicious software with sophisticated malware that are able to evade end-point-protection systems. Once executed, the malware will call back home, allowing the attacker to remotely control the victim's host to perform further arbitrary actions without consent or knowledge of the victim.
The ultimate goal of an attacker is to gain access to sensitive information vaults and exfiltrate data out of the organization's network perimeter without detection, some attackers deliberately encrypt critical systems using ransomware and demand payment in crypto currencies to unlock it.
How to protect against social engineering & scam attacks?
The ultimate goal of an attacker is to gain access to sensitive information vaults and exfiltrate data out of the organization's network perimeter without detection, some attackers deliberately encrypt critical systems using ransomware and demand payment in crypto currencies to unlock it.
How to protect against social engineering & scam attacks?
Constantly educate and remind people the dangers of trusting anything they see, read or receive on the Internet. The advancement in AI allows anyone to easily manipulate text, voice, video and images. Always question the authenticity of anything they receive, read, hear, see or download. The Web is a complex global public network of millions of interconnected computers notoriously known as the wild-wild-west, so always tread with caution. As a general rule, do not click, download, install untrusted software or links or pick up unknown voice or video calls. Do not voluntarily give out your personal information such as your full name, DoB, residential address, social security no, bank account details, etc. This includes websites or anyone that might ask you for private details. The more an attacker knows about you or your organization, the easier it will be for them to design an elaborate scheme to eventually trick, coerce or deceive you. While there are countless of logical controls built around users to prevent security breaches, not every action can be solved by installing software alone. Softwares are as good as the user using it. User education and awareness are vital in protecting against security breaches.
