Social engineering, the act of getting information from a person based on their human instinct to react, help or be entrapped into some form of false promise, isn’t as modern as the name suggests. Although the term ‘social engineering’ is in fact relatively new, the process of obtaining sensitive information from a victim has been around for a very long time.
The digital age, of course, has increased the attacks and how they’re delivered. No longer is a victim beguiled by post, now they’re bombarded by false websites, emails and a string of other cleverly disguised mediums.
Let’s break down the three main, modern methods of how a scammer will attempt to obtain your personal and sensitive information: Phishing, Vishing and Smishing.
Phishing is the attempt to obtain information from a potential victim through emails, messaging, social media and auction sites. They can come in the form of an email, for example, claiming to have some money available for you or pretending to be from your bank or credit card company. Social media phishing includes individuals befriending you, or pretending to be someone you may know, then asking for information. Similarly a phishing attack can come in the form of a Facebook seemingly friendly test, such as ‘name the top five things about yourself and tag ten friends…’. The unwitting victim will happily reveal their date of birth, where they were born, pets names, names of any children and so on. The attackers will gather all that information and use it to their advantage.
Interestingly there are also three different phishing types: Spear, Clone and Whaling.
Spear phishing is designed to specifically target an individual, gathering information such as the above Facebook ‘game’ whereby the scammer can personalise their attack on the victim.
Clone phishing is an attack type that uses a previously delivered, legitimate email containing an attachment but with the details changed and the attachment swapped for a virus or keylogger. To the victim the email looks real, since it’s cloned from a real email, and when the attachment is opened it infects the computer.
Whaling is when a phishing attack targets senior executives of a company or a high-profile individual or business. The attack is a finely crafted email or web address that’s created to look business-like and containing information specific to the company or individual.
Vishing is voice phishing, using a telephone call to commit some form of social engineering attack. The victim will, as we’ve explained previously, receive a call from a legitimate sounding call centre with the person on the line claiming to be from a well-known computer related company. Usually the caller will be led to believe that there’s a virus on their computer or that some form of security vulnerability has been detected. The victim will then be guided to a website where the caller can make a remote connection to their computer. Once on the victim’s computer, the caller will then run a script that will display reams of data on the screen designed to confuse and baffle the victim. In the meantime, they’re secretly running a keylogger in the background.
In some circumstances they can then claim to have fixed the so called issue but ask you to log into your bank to double-check all is well. With a keylogger in place, they can then see your username and password on their screen; after which they log in and steal from your account.
Alternatively an automated call can ask you to enter your credit card number into the phone’s keypad, as it’s been reported as being used elsewhere. Of course it hasn’t but as soon as you enter the details they’re recorded and your card can be used by the scammers.
Smishing is an SMS form of phishing. In these cases you receive a text from a seemingly legitimate source, usually your bank or credit card company but also in the form of a competition winner or something free, asking you to confirm your details. There’s often a link for you to follow, which leads to a false website that logs your keystrokes and records your data.
Some smishing attacks will ask you to send a return SMS to approve an action, such as a delivery of some goods. The return message is designed to cost significantly more than the usual SMS rate, with the money going straight to the scammers.
One way or another, each of these scams are designed to bait the victim, hence the phishing element, a homophone of the word fishing. The best defence is to ignore, delete or hang up on anything that’s even remotely suspicious. Microsoft doesn’t know if you have a virus, and nor will it telephone you. Your bank won’t email you for your account details and don’t be tempted to fill in any Facebook games with personal information. In short, be savvy about baiting techniques and remain vigilant.