You’ve seen some scary headlines about a new “social engineering attack” circulating, but you’re not sure what that really means? Then you are in the right place, as we have created this guide to understand in detail what the term means and some quick tips on how not to fall victim to them.

The short version is that the social engineer’s attack is the point at which computer abuse is combined with old-fashioned trust fraud. In particular, social engineering attacks are scams that exploit the most vulnerable part of any technical system: the consumer.

Social engineering attacks can be carried out via the Internet, email, telephone and SMS or instant messaging, or in person. They rely on deceiving the user into believing that the bad actor has been an honest representative of, say, Amazon or Microsoft long enough to give the bad actor his credentials, login, access to their computer or money.

Social engineering attacks can be carried out in real time, with someone actively talking to you on the phone or physically present in your office; asynchronously, as by exchanging emails with a bad actor who pretends to be someone who is not, or is a passive trap delivered via email, a website, or even a physical USB device.

Kaspersky Total Security – now 60% discount

Award-winning protection against hackers, viruses and malware. Includes free VPN, password manager and Kaspersky Safe Kids.

USE code: KTSQ210 to save an extra 10% on the already fantastic 50% discount

  • CODE: KTSQ210
  • 60% discount
  • £ 16 a year

View offer

Examples of social engineering attacks

Phishing, in which a bad actor sends messages, often by email, designed to look like they are from a legitimate company with the intent of forcing you to submit your login details or allow payment, is a common example of social engineering attacks. They often do this by offering an irresistible, time-limited deal or threatening severe consequences (such as an upcoming overpayment) to make the victim panic and rush to click without thinking about what he is doing.

Some attacks of this kind instead focus on getting malware on a computer, convincing the user that it is legitimate software. When Adobe Flash was still in use, we often saw malicious sites distributing malware under the guise of downloading a Flash player. Once a user is tricked into installing it, malware can spy on it, try to compromise their network, or misuse system resources to participate in botnets, send spam, or dig for cryptocurrency.

Fraud with technical support. They are among the most popular fake support calls pretending to be from Microsoft. A notorious example informs the user that there is a serious malware infection and “proves” it by making the user open Windows Event Viewer, a log review that shows a number of completely benign errors and warnings that seem scary to someone who does not. he knows what they are looking at.

Some technical support scams use screenlocker pop-ups to temporarily disable the victim’s computer and instruct them to call an “official support phone number” in a similar way to non-encrypted ransomware, which itself in itself uses elements of social engineering.

Scareware, a related category that often includes online pop-ups warning you that your computer is infected with malware, along with an anti-malware download tool that is malicious in itself.

Targeted fake calls to or from the business IT support team, such as requesting login credentials or other sensitive information.

Physical social engineering attacks can rely on distractions or inconsistencies, such as a The example of Naomi Wu of a scantily clad intrusion tester, taking a selfie stick and completely ignoring it as it passes the front desk and security, or vice versa, merging into the background, for example by looking like you’re supposed to be somewhere, like wear a clipboard, walk purposefully and carrying hi-viz to access a secure site.

Once on a supposedly secure site, a bad actor can gain access to computers, keys, or data to compromise his goal. “evil maidThe attack Wu mentions in her video often involves actual business personnel (archetypal hotel) using their access to compromise the target’s electronic device, but this can also be done by a fraudster.

Another physical attack that has rather expired its sale date, but which does not require any human interaction, is “bait”. A USB device infected with malware has been left somewhere attractive, potentially labeled, to encourage the searcher to plug it into a computer and check it out. Although long gone are the days of Windows autorun files that can run on removable media, a cleverly named program and device readme file can still convince the right target to sabotage their own computer by booting them.

Read our Security Guide for more tips on living a safer life online.

What is a social engineering attack?

Previous articleLeaked images of the Motorola Razr 3 reveal an improved camera and a more boxy design
Next articleThe car radar market is attracting new players