What Is Social Engineering and How Does It Work?
Social engineering is a method that criminals use to gain unauthorized access to your computer. The act of social engineering can start with the offline environment and then move to online activities which are all associated with one motive in mind, which is to gain unauthorized access to PCs and personal information. Social engineering tactics reveal themselves in the form of phishing attacks, spear phishing attacks, and email hoaxes, as well as a myriad of offline activities.
How Social Engineering Works
First, we will take a look at some of the offline activities that criminals use to perpetrate social engineering.
- Penetration Testing: Offline hackers use a social engineering method known as penetration testing or "pen testing." Penetration testing involves evaluation of a computer system or network to search for vulnerabilities in the system for the purpose of exploiting it. To gain access to the system so a pen test can be performed, the hacker leaves USB keys in public areas so the people will pick them up and insert them into the office PCs or they send CDs to workers in an organization so they will insert them into the PCs on the network.
- VoIP Exploits: VoIP means Voice over Internet Protocol and involves the use of telephony. Hackers exploit VoIPs by leaving phishing voice messages telling the recipient that there is a problem with their bank account. The hacker then leaves an 800 number to try and trick the recipient into calling the number to reveal bank account information.
- Bandit Signs: Another offline social engineering method is leaving advertisements around parking lots and other public areas that entice the reader to log onto a malicious website. The website URL is passed off as legitimate through an authentic looking advertisement for a charitable cause or something else related.
Here are some of the ways hackers perform social engineering methods online.
- Malware Installation: Social engineering hackers install malware through everything from ActiveX Controls to email and websites. Some of the malware is designed to mirror other websites so when you type in a search it pulls up websites that look like the usual websites that you visit only they are bogus and trick you into entering information into what you think is the legitimate site.
- Targeted Attacks: With a targeted attack, the hacker specifically profiles the intrusion so the attack is directed to you personally. Examples of this include email that is addressed in your name, email that is disguised as coming from a legitimate source, and social networking messages that have information stolen from resume sites so the information in the message is directly targeted at the recipient.
- Email Hoaxes: Social engineering can be performed through email messages that claim you won a lottery or promise you a high return on investment if you contribute money to a specific cause. In reality these are scams to get you to reveal your personal information and to steal money from you for financial gain on the part of the hacker.