Scams and Social Engineering Attacks

 

What are scams?

Scams are a form of social engineering attack technique designed to manipulate a victim into performing an arbitrary action for illicit profit. Techniques can be carried out via coercion, threat, manipulation or trickery.

Why are people prone to social engineering?

It's commonly due to human psychology - eg. desire, greed, fear or gullibility. As humans, it is natural to exhibit these traits. A lonely woman or man are easy prey for love scams, a profit minded person is easy target for investment scams. A career minded person or desperate job seeker is easy prey for job scams, tech illiterate retirees get scammed by fake tech support or law enforcement agencies into transferring monies into attacker bank accounts. While scams are usually profit driven, social engineering also serve as a means to infiltrate or circumvent enterprise security controls. Both scams and social engineering attacks can be performed physically or logically. Physical attacks involve face-to-face impersonation at the victim's premise while logical attacks can be done remotely via emails, voice calls or Phishing websites.

What other scenarios are Social Engineering design for?

It is often said that the weakest link in computer security is the user. While highly skilled hackers usually find software flaws in widely used applications, it doesn't always have to be that difficult to pull of  a heist. In red teaming exercise (end-to-end security assessment) of an organization's security to cyber attacks, social engineering is by far the most common attack path to gain initial access into corporate networks. For eg, red teamers impersonate HR by sending mandatory 'on-boarding' exercise emails to new employees of a bank based off emails scraped off LinkedIn. The emails sent to unsuspecting employees contain dropper links to download malicious software with sophisticated malware that are able to evade end-point-protection systems. Once executed by the victim, the malware is designed to call back home, allowing an attacker to remotely control the victim's machine to perform further arbitrary actions without the consent or knowledge of the victim.

The ultimate goal of an attacker is to gain access to sensitive information vaults and exfiltrate data out of the organization's network perimeter without detection, some attackers also deliberately encrypt critical systems using ransomware to demand payment in crypto currencies to unlock it.

How to protect against social engineering & scam attacks?

Constantly educate and remind people the dangers of trusting anything they see, read or receive on the Internet. The Internet allows anyone to easily manipulate text, voice and images. Always question the authenticity of anything they receive, read, hear, see or download. The Web is complex global public network of interconnected hosts notoriously known as the wild-wild-west, so always tread with caution. As a general rule, do not click, download, install untrusted software or links or pick up unknown voice or video calls. Do not voluntarily give out personal information such as your full name, DoB, residential address, social security no, bank account details, etc. This includes websites or anyone that might ask you for private details. The more the attacker knows about you and your organization, the easier it will be for them to design an elaborate plan to eventually trick, coerce or deceive you. While there are countless of logical controls built around users to prevent security breaches, not every action can be solved by installing software alone. Softwares are as good as the user using it. User education is also vital in protecting against security breaches.