Modern society has surrounded by an infinity of devices sharing confidential information all the time. Regardless of the interacting context, people have utterly interconnected in both particular and professional environments. This disruptive manner of communication has made the day by day of people easier and an increasing number of companies around the world have relied on their business on such a way of sharing information. Nevertheless, some security issues also arise from this technological revolution in communication. An intrinsic aspect is the constant risk of data privacy violation through the use of the own technology. However, another threat to data security is related to direct human intervention which is also known as social engineering.

Social engineering is a term applied to a wide variety of personal strategies employed to persuade a person to share sensitive information. According to Sara Granger from Symantec, it involves a “clear manipulation of the natural human tendency to trust”. Commonly, a hacker tries to have access to a non-authorized system and information by means of psychological tricks. By inciting a sense of safeness in the victim, the hacker instigates the critical information owner to share data that should otherwise keep in secret. Imperva Incapsula, a cybersecurity specialized company, has described four general steps that are normally followed during a social engineering attack. First, the hacker gathers relevant information and selects both victim and methods — Investigation step. Second, the hacker deceives the victim and takes control of the situation — Hook step. Third, by storing private data for a time, the hacker executes the security violation — Play step. Finally, the hacker leaves the scene cleaning any track of its action — Exit step.

Considering the subtlenesses and subjectiveness involved in a social engineering attack, a basic step toward the data privacy protection is to know the main techniques and methods used by hackers

Human-based Social Engineering Attacks

Human-based attacks lie in the interaction person-person and threat success depends on the level of ignorance or weakness of the victim. By having contact with the person to be deceived, hackers try to make the target comfortable with the interaction that is taking place. As long as suspicious are gradually taken away from the interaction between hacker and victim, a sense of safeness starts growing in such an interpersonal relationship. At this point, the victim becomes less warning and, hence, more favorable to share information. Commonly, hackers inquire the victim using superficial questions until a piece of sensitive information is revealed. Sometimes, more directed questions are also employed.

Pretexting

This attack involves trying to gather as much information as possible using a false reason. According to Imperva Incapsula, “the attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.” Normally, it is not restricted to well-crafted lies and also includes extensive research around the victim. Another important aspect of such an attack is not asking a bunch of information at once, but digging for small sensitive information. Hackers justify the necessity of such confidential information pretending they were ordered to run a critical task.

Reverse Social Engineering

In this attack, also known as Quid Pro Quo, the hacker works toward inverting the order of the contact initiative. Instead of giving the first step by asking the victim for private information, attackers prepare a scenario in which they can be seen as helpers. A traditional example of such a scenario was described by Ivaturi and Janczewski in the article A Taxonomy for Social Engineering attacks. According to the authors, “the attacker firsts sabotage the network of the organization then advertises himself as the right person with a solution and with a bit of assistance from the victim fixes the problem. In the last stage, he gets what he really needs by requesting the victim to log into the network under the aforementioned pretext”. Social networks constitute another propitious environment for threats like this. In the article Reverse Social Engineering Attacks in Online Social Networks, the authors explain that “online social engineering attacks are easy to propagate, difficult to trace back to the attacker, and usually involves a low cost per targeted user”.

Tailgating

This type of threat, also known as piggybacking, is based on two pillars: impersonation and dissimulation. By the first step, the hacker impersonates a service supplier outside the target organization. Eventually, an employee receives the authorization to come into the company and the fake service supplier asks such an employee to keep the door open. After that, the attacker uses previously gathered information dissimulating held knowledge about the company. The objective is to pass by the front desk. In view of the attack approach, it is less improbable in large companies since the employees are supposed to have a swipe card. Based on this, David Bisson comments in his article (5 Social Engineering Attacks to Watch Out For) that mid-size companies constitute the main target for this kind of threat.

Software-based Social Engineering Attacks

Social engineering threats go far beyond the interaction person-person. Diversity of systems is also employed in order to potentiate attacks of this category. Since hackers are not physically present during the criminal action, software-based threats represent more viable and scalable options for carrying out their attacks. In this context, the Internet leverage the attacker’s power and, because of this, it is widely explored by them. Risks increase vertiginously given that people usually share an infinity of personal information online which can be easily searched by social engineers. According to the article Advanced social engineering attacks, attackers often use search engines to gather personal information about future victims. There also are tools that can gather and aggregate information from different Web sources.

Phishing

A phishing threat takes place when the attacker tries to catch confidential information from the victim faking it is a trustworthy entity. The main way employed is by preparing an email and sending it to a bunch of contacts. A recipient becomes a victim to this attack once it clicks on the link sent together with the email. The victim is redirected to a deceived website where its personal information is required. Spear-phishing is a particular version of such an attack. It happens when the target is a specific individual or company.

Malware

This threat is based on persuading a victim to take any action that will trigger the attack execution in the background. A common way to carry out such an attack is by means of emails with attached files. The strategy involves inciting the curiosity of the victim in order to motivate the person to open the email and click on the attached file sent together with it. By doing this, the computer is infected with a script that looks for confidential information of the victim and sends them to the attacker. Popups are another effective way to persuade people to take damaging action. Normally, they come from online advertisements or warnings about probable virus infection. In such cases, the victim is guided to download a file that will unleash the attack.

Social Engineering Prevention

Social engineering is a criminal action whose essence relies on the capacity of manipulating others. Technology just adds sophistication to the employed tactics. Prevention against this threat involves simple but effective measures. Avoiding open suspicious emails, keeping antivirus updated, and being wary of tempting offers may prevent much of software-based attacks. Moreover, a selective attitude regarding the type and the quantity of information that is shared with others constitute an additional barrier against different categories of social engineering attacks.