Social engineering uses human weakness or psychology to gain access to the system, data, personal information, etc. It is the art of manipulating people. It doesn’t involve the use of technical hacking techniques. Attackers use new social engineering practices because it is usually easier to exploit the victim’s natural inclination to trust. For example, it is much easier to fool someone to give their password instead of hacking their password. Sharing too much information on social media can enable attackers to get a password or extracts a company’s confidential information using the posts by the employees. This confidential information helped attackers to get the password of victim accounts. 

How do Social Engineering Attacks Take Place? 

Phishing scams are the most common type of Social Engineering attacks these days. Tools such as SET(Social Engineering Toolkit) also make it easier to create a phishing page but luckily many companies are now able to detect phishing such as Facebook. But it does not mean that you cannot become a victim of phishing because nowadays attackers are using iframe to manipulate detection techniques. An example of such hidden codes in phishing pages is cross-site-request-forgery “CSRF” which is an attack that forces an end user to execute unwanted actions on a web application. Example: In 2018 we have seen a great rise in the use of ransomware which has been delivered alongside Phishing Emails. What an attacker does is usually deliver an attachment with a subject like “Account Information” with the common file extension say .pdf/.docx/.rar etc. The user generally clicks and the attacker’s job gets done here. This attack often encrypts the entire Disk or the documents and then to decrypt these files it requires cryptocurrency payment which is said to be “Ransom(money)”. They usually accept Bitcoin/Ethereum as the virtual currency because of its non-traceable feature. Here are a few examples of social engineering attacks that are used to be executed via phishing:

• Banking Links Scams
• Social Media Link Scams
• Lottery Mail Scams
• Job Scams

Purpose

The purpose of social engineering attacks is typically to steal sensitive information, such as login credentials, credit card numbers, or personal information. Attackers can use this information for identity theft, financial fraud, or other malicious purposes. Another purpose of social engineering attacks is to gain unauthorized access to secure areas or systems. For example, an attacker might use tailgating to follow an authorized individual into a secure area or use pretexting to convince an individual to give them access to a restricted system.

Types of Social Engineering 

There are many different types of social engineering attacks, each of which uses a unique approach to exploit human weaknesses and gain access to sensitive information. Here are some of the types of attacks, include:

• Phishing: Phishing is a type of social engineering attack that involves sending an email or message that appears to be from a legitimate source, such as a bank, in an attempt to trick the recipient into revealing their login credentials or other sensitive information.
• Baiting: Baiting is a type of social engineering attack that involves leaving a tempting item, such as a USB drive, in a public place in the hope that someone will pick it up and plug it into their computer. The USB drive is then used to infect the computer with malware.
• Tailgating: Tailgating is a type of social engineering attack that involves following an authorized individual into a secure area, such as a building or data center, without proper authorization.
• Pretexting: Pretexting is a type of social engineering attack that involves creating a false identity or situation in order to trick an individual into revealing sensitive information. For example, an attacker might pretend to be a customer service representative in order to trick an individual into giving them their login credentials.
• Vishing: Vishing is a type of social engineering attack that involves using voice phishing, or “vishing,” to trick individuals into revealing sensitive information over the phone.
• Smishing: Smishing is a type of social engineering attack that involves using SMS messages to trick individuals into revealing sensitive information or downloading malware.

Prevention

• Timely monitor online accounts whether they are social media accounts or bank accounts, to ensure that no unauthorized transactions have been made.
• Check for Email headers in case of any suspecting mail to check its legitimate source.
• Avoid clicking on links, unknown files, or opening email attachments from unknown senders.
• Beware of links to online forms that require personal information, even if the email appears to come from a source. Phishing websites are the same as legitimate websites in looks.
• Adopt proper security mechanisms such as spam filters, anti-virus software, and a firewall, and keep all systems updated, with anti-keyloggers.