Social Engineering
Accident-Prone Employee
If an employee accidentally loses their mobile device, sends an email to incorrect recipients, or leaves a system loaded with confidential data logged-in, it can lead to unintentional data disclosure.
Lack of Security Policies
Implementation of certain security measures such as password change policy, information sharing policy, access privileges, unique user identification, and centralized security, prove to be beneficial.
Implement Two-Factor Authentication
Instead of fixed passwords, use two-factor authentication for high-risk network services such as VPNs and modem pools. In the two-factor authentication (TFA) approach, the user must present two different forms of proof of identity.
It is a professional platform where employees or job seekers post all their personal and professional details such as working company, total experience, and superficial information regarding the projects they worked on.
Consensus or Social Proof
It refers to the fact that people are usually willing to like things or do things that other people like or do.
Several Organizational Units
Organizations having units at different geographic locations, makes it difficult to manage and attacker can easily access the sensitive information.
Unregulated Access to Information
Providing unlimited access or allowing everyone access to such sensitive data might cause trouble.
SMiShing
Sending SMS is another technique used by attackers in performing mobile-based social engineering. In SMiShing (SMS Phishing), the SMS text messaging system is used to lure users into taking instant action such as downloading malware, visiting a malicious webpage, or calling a fraudulent phone number. SMiShing messages are crafted to provoke an instant action from the victim, requiring them to divulge their personal information and account details
Implement a Spam Filter
Set up spam filters to avoid inbox flooding and stop infected emails from reaching the device.
Terminated Employee
Some employees take valuable information about the company with them when terminated. These employees access the company's data after termination using backdoors, malware, or their old credentials if they are not disabled.
Spam Email
Spam is irrelevant, unwanted, and unsolicited emails designed to collect financial information such as social security numbers, and network information. Attackers send spam messages to the target to collect sensitive information, such as bank details.
Undertrained Employee
A trusted employee becomes an unintentional insider due to a lack of cybersecurity training. They fail to adhere to cybersecurity policies, procedures, guidelines, and best practices.
Instant Chat Messenger
An attacker chats with selected online users via instant chat messengers and tries to gather their personal information such as date of birth or maiden name. They then use the acquired information to crack users' accounts.
Piggybacking
An authorized person intentionally or unintentionally allows an unauthorized person to pass through a secure door, e.g., "I forgot my ID badge at home. Please help me."
Wardriving
Attackers search for unsecured Wi-Fi wireless networks in moving vehicles containing laptops, smartphones, or PDAs. Once they find unsecured networks, they access any sensitive information stored on the devices of the users on those networks.
Spear Phishing
Attackers send spear phishing to send a message with specialized, social engineering content directed at a specific person, or a small group of people.
Disgruntled Employee
Attacks may come from unhappy employees or contract workers. Disgruntled employees, who intend to take revenge on the company, first acquire information and then wait for the right time to compromise the organization's resources.
Netcraft
a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks. The Netcraft Toolbar provides updated information about sites that users visit regularly and blocks dangerous sites. The toolbar provides a wealth of information about popular websites. This information will help to make an informed choice about the integrity of those sites
Factiva
a global news database and licensed content provider. It is a business information and research tool that gets information from licensed and free sources and provides capabilities such as searching, alerting, dissemination, and business information management.
Chain Letters
a message offering free gifts, such as money and software, on the condition that the user forwards the email to a predetermined number of recipients. Common approaches used in chain letters are emotionally convincing stories, "get-rich-quick" pyramid schemes, spiritual beliefs, and superstitious threats of bad luck to the recipient if they "break the chain" and fail to pass on the message or simply refuse to read its content. Chain letters also rely on social engineering to spread
Hoax
a message warning its recipients of a non-existent computer virus threat. It relies on social engineering to spread its reach. Usually, hoaxes do not cause any physical damage or loss of information; but they cause a loss of productivity and use an organization's valuable network resources.
Baiting
a technique in which attackers offer end users something alluring in exchange for important information such as login details and other sensitive data. This technique relies on the curiosity and greed of the end-users.
Honey Trap
a technique where an attacker targets a person online by pretending to be an attractive person and then begins a fake online relationship to obtain confidential information about the target company. In this technique, the victim is an insider who possesses critical information about the target organization.
Hacking
a technique where attackers may compromise user systems and route information using listening devices such as sniffers and scanners.
Scareware
a type of malware that tricks computer users into visiting malware-infested websites or downloading or buying potentially malicious software.
Whaling
a type of phishing that targets high profile executives like CEO, CFO, politicians, and celebrities who have complete access to confidential and highly valuable information.
Vishing
an impersonation technique in which the attacker uses Voice over IP (VoIP) technology to trick individuals into revealing their critical financial and personal information and uses the information for financial gain.
DuckDuckGo
an internet search engine that emphasizes protecting searchers' privacy and avoiding the filter bubble of personalized search results.
Catfishing Attack
an online phishing scam in which attackers target a person on social media platforms (Facebook, Instagram, etc.) and perform identity theft. After stealing the target profile's identity, attackers create a fake social media account and masquerade as the owner of the account. Then, attackers use that account for communicating with other users online via chat boxes or other means to establish personal or business relationships. Later, they perform cyberbullying or other social engineering attempts for monetary gain.
Mention
an online reputation tracking tool that helps attackers in monitoring the web, social media, forums, and blogs to learn more about the target brand and industry.
Spimming
exploits Instant Messaging platforms and uses IM as a tool to spread spam. A person who generates spam over IM is called Spimmer.
Eweka
finds valuable information about the operating systems, software, web servers, etc., used by the target organization.
Authority
implies the right to exercise power in an organization. Attackers take advantage of this by presenting themselves as a person of authority, such as a technician or an executive.
Scarcity
implies the state of being scarce. In the context of social engineering, scarcity often implies creating a feeling of urgency in a decision-making process.
Archive critical data
in the form of archives to be used as backup resources, if needed.
Compromised Insider
insiders having access to critical assets or computing devices of an organization. This type of threat is more difficult to detect since the outsider masquerades as a genuine insider.
Professional Insider
most harmful insiders where they use their technical knowledge to identify weaknesses and vulnerabilities of the company's network and sell the confidential information to the competitors or black market bidders.
Intimidation
refers to an attempt to intimidate a victim into taking several actions by using bullying tactics.
Skimming
refers to stealing credit/debit card numbers by using special storage devices called skimmers or wedges when processing the card.
Elicitation
the technique of extracting specific information from the victim by involving them in normal and disarming conversations. In this technique, attackers must possess good social skills to take advantage of professional or social opportunities to communicate with persons who have access to sensitive information. In social engineering, the purpose of elicitation is to extract relevant information to gain access to the target assets.
Malicious Insider
threats come from disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware into the corporate network.
Legal policies
to prevent employees from misusing the organization's resources and sensitive data theft.
Pretexting
where fraudsters may pose as executives from financial institutions, telephone companies, and so on, who rely on "smooth talking" and win the trust of an individual to reveal sensitive information.
Negligent Insider
who are uneducated on potential security threats or simply bypass general security procedures to meet workplace efficiency, are more vulnerable to social engineering attacks. A large number of insider attacks result from employee's laxity towards security measures, policies, and practices.
Social Identity Theft
This is another common type of identity theft where the perpetrator steals victim's Social Security Number in order to derive various benefits such as selling it to an undocumented person, using it to defraud the government by getting a new bank account, loans, credit cards, or applying for and obtaining a new passport.
Criminal Identity Theft
This is one of the most common and most damaging types of identity theft. A criminal use someone's identity to escape criminal charges. When they are caught or arrested, they provide the assumed identity. The best way to protect against criminal identity theft is to keep all personal information secure, which includes following safe Internet practices and being cautious of "shoulder surfers
Synthetic Identity Theft
This is one of the most sophisticated types of identity theft, where the perpetrator obtains information from different victims to create a new identity. Firstly, he steals a Social Security Number and uses it with a combination of fake names, date of birth, address, and other details required for creating a new identity. The perpetrator uses this new identity to open new accounts, loans, credit cards, phones, other goods, and services.
Medical Identity Theft
This is the most dangerous type of identity theft where the perpetrator uses the victim's name or information without the victim's consent or knowledge to obtain medical products and claim health insurance or healthcare services.
Identity Cloning and Concealment
This type of identity theft encompasses all forms of identity theft, where the perpetrators attempt to impersonate someone else simply in order to hide their identity. These perpetrators could be illegal immigrants, those hiding from creditors, or simply those who want to become "anonymous."
Driver's License Identity Theft
This type of identity theft is the easiest as it requires a little sophistication. A person can lose their driver's license, or it can easily be stolen. Once it falls into the wrong hands, the perpetrator can sell the stolen driver's license or misuse it by committing traffic violations.
Financial Identity Theft
This type of identity theft occurs when a victim's bank account or credit card information is stolen and illegally used by a thief. They can max out a credit card and withdraw money from the account, or can use the stolen identity to open a new account, apply for new credit cards, and take out loans.
Child Identity Theft
This type of identity theft occurs when the identity of a minor is stolen. This is desirable because it may go undetected for a long time. After birth, parents apply for a Social Security Number for their child, which along with a different date of birth, is used by identity thieves to apply for credit accounts, loans or utility services, or to rent a place to live and apply for government benefits.
Tax Identity Theft
This type of identity theft occurs when the perpetrator steals the victim's Social Security Number to file fraudulent tax returns and obtain fraudulent tax refunds. It creates difficulties for the victim in accessing their legitimate tax refunds and results in a loss of funds. Phishing emails are one of the main tricks used by the criminal to steal a target's information.
Pop-Up Windows
Windows that suddenly pop up while surfing the Internet and ask for user information to login or sign-in.
WolframAlpha
a computational knowledge engine or answer engine.
Shodan
a computer search engine that searches the Internet for connected devices (routers, servers, and IoT.). You can use Shodan to discover which devices are connected to the Internet, where they are located, and who is using them.
Pharming
Also known as "phishing without a lure" and performed by using DNS Cache Poisoning or Host File Modification.
Shoulder Surfing
Direct observation techniques such as looking over someone's shoulder to get information such as passwords, PINs, account numbers, etc.
Separation and rotation of duties
Divide responsibilities among multiple employees to restrict the amount of power or influence held by any individual. This helps to avoid fraud, abuse, and conflict of interest and facilitates the detection of control failures.
Hoax Letters
Emails that issue warnings to the user about new viruses, Trojans, or worms that may harm the user's system.
Insufficient Security Training
Employees can be ignorant about the social engineering tricks used by attackers to lure them into divulging sensitive data about the organization.
Implement a Hardware Policy
Ensure that individuals are aware of what hardware can be used. For example, the use of USB drives should be disallowed.
Implement a Software Policy
Ensure that only legitimate software is installed and specify the individuals responsible for software installation.
Reverse Social Engineering
The attacker presents him/herself as an authority, and the target seeks his or her advice before or after offering the information that the attacker needs.
Diversion Theft
The attacker tricks a person responsible for making a genuine delivery into delivering the consignment to a location other than the intended location.
Tailgating
The attacker, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door that requires key access.
Logging and auditing
check for misuse of company resources.
Insurance Identity Theft
closely related to medical identity theft. It takes place when a perpetrator unlawfully takes the victim's medical information to access their insurance for medical treatment.