Hi good people? By way of social enginnering tactics, have you ever been called by persons purporting to come from certain renown betting or lottery companies telling you that you have won certain amount of money, and they need from you some confidential personal data to facilitate the transfer of that money to your account? Have you even been called by fake customers agents from Safaricom requesting they help you update your MPESA pin as its part of their routine maintenance to their system for security reasons?
In this article, I am going to share with you tactics used by these cybercriminals that involves some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. This is a continuation of the previous topic about Social Engineering that I shared in my YouTube Channel.
Social Engineering Tactics
Social engineering attacks are not only becoming more common against financial institutions, but they’re also increasingly sophisticated as hackers are devising ever-cleverer methods for fooling employees and individuals into handing over valuable company data or their own personal data to aide these attacks go into completion.
- Authority: – People are more likely to comply when instructed by a person considered as of higher authority than them.
Example: An employee opening a virus infected email that appears to come from his immediate boss of even CEO of the company he/she is working for.
- Intimidation: – Cybercriminals bully a victim into taking action they know will succeed their plans.
Example: An executive secretary receives a call from her boss who is about to give important presentation, but his files are corrupt. The cybercriminals ask for the files to be send immediately to him to a fake email provided and because the secretary is intimidated and thinks the person who has called is the ideal boss, sends the files to the criminal
- Building Consensus and Social Proof: – People will take action if they think that other people like it too.
Example: Cybercriminals create websites with fake testimonials that promote a certain product indicating that is safe so when a victim looks at these testimonials and believes to be true, ends up falling in a trap. The trap may include the criminal providing a form that collects very important and confidential data from the victim such as credit card information and the victim needs to fill it e.g. before purchasing a certain product
- Scarcity: – People will take action when they think there is a limited quantity remaining.
Example: Criminals offer a limited opportunity that will not last to spur the victim into taking actions immediately. For example, if you have been looking for a certain job many years unsuccessful and you only find this as a limited chance, you may end falling into the trap of the victim at whatever cost in order to get job of your dream e.g. by sending certain amount of money or providing confidential details as required
- Urgency: – People will take action when they think there is a limited time.
Example: Criminals establish deadline for taking an action based on certain price or implication incurred. This can be a criminal sending a fake malicious email or even short message purporting to come from the bank of the victim and that they have up to a certain date to update their certain records through the email link sent to them otherwise, their accounts will be closed.
- Familiarity: – Criminals build a rapport with the victim to establish a relationship.
Example: People are likely to take actions faster if they like that person or are familiar with. A good example is a close friend of yours forwards you some malicious links through your WhatsApp and since you trust that friend or the person is familiar to you, you end up clicking that malicious link that requests you to take some further actions to aid the attackers
- Trust: – Criminals build a trusting relationship with a victim which may require more time to establish.
Example: A ‘bank attendant’ calls the victim offering advice concerning his/her account and having the credentials back to back it up. While helping the victim, the criminal discovers ‘serious errors’ in the account that needs immediate attention. The solution provided by the victim aides the criminal with the opportunity.
One of the greatest dangers of social engineering is that the attacks don’t have to work against everyone: A single successfully fooled victim can provide enough information to trigger an attack that can affect an entire organization. On how to shut down any of the tactic above, watch out my video on Social Engineering where I also talk on How to Prevent Social Engineering Attacks