Social Engineering: The gateway for cyberattacks.

“…security isn't just about technology—it's about people. And people can be both your greatest security advocates and your weakest security links.” ___ Francis Dinha

If on a Monday morning, while hurrying to the bus stop, you receive an SMS from a “reliable informant” who claims that there is a conspiracy to assassinate you, how will you react?

Let’s also assume that the SMS reads thus: “Good morning, Dayo. I’ve followed you closely for a while, and have confirmed that you are innocent of the accusations levelled against you. Although a lady, someone you call a friend, paid us to kill you, I pleaded with my gang to halt any action until I reason with you. I’ve asked the lady why she’s so desperate to have us kill you, but she insists that we should execute her job. Since we have between tomorrow and next to carry out the assignment, if you pay 200,000 naira to XYZ account, we will not kill you.

Does this “informant” sound genuine?

Do you believe his information?

How scared are you by the mere thought that one of your “friends” wants you dead?

Would you have paid this “informant”?

If your answers to the above questions are YES, you’re prone to be a victim of a cybercrime mechanism known as “Social Engineering”.

Now, let’s discuss social engineering as one of the channels of a cyberattack.

?

THE NATURE OF SOCIAL ENGINEERING

“Social engineering in cybersecurity is the practice of manipulating someone into giving up sensitive information, usually through exploiting human error or taking advantage of trust in digital communications.”

The focus of a social engineer is to manipulate your emotions by instilling fear, creating false urgency, proposing a too-good-to-be-true offer, etc.

As Francis Dinha commented, “We know how to install firewalls and antivirus software; we know how to encrypt our communications. The problem is, security isn't just about technology—it's about people. And people can be both your greatest security advocates and your weakest security links.”

Now that we’ve established that at the core of a social engineering attack is the exploitation of human psychology as compared to other means of cyberattacks performed through devices and software, let’s discover the various forms of a social engineering attack.

?

FORMS OF SOCIAL ENGINEERING ATTACKS

1.?????? Pretexting:

For the past 6 months, you’ve been desperate for a job; the bills are piling up, loan shacks are not relenting, and you’ve submitted countless applications. Unfortunately, none of the companies you applied to has given you the least rejection call.

Suddenly, you receive a text from a supposed “UTF Team”:

“Hi, Your CV has passed. You can get $100 in a day. For details: https://wa.me/+1 80 673945793.”

Pause right there. What this sender is attempting is called “Pretexting”.

Like our illustration, in pretexting, a social engineer presents the target victim with a valuable and almost irresistible offer (from our illustration, a $100/day job). First to gain the victim’s trust, and through that, demand something valuable from the victim (through the link provided).

2.?????? Phishing:

Like your favourite pathway, Phishing is the main gateway to most cyberattacks.

Have you read a tweet about an attempted scam call or perhaps been a near victim? There you have it, “Phishing”.

A Phishing attack is another form of social engineering carried out by voice call or SMS.

The fake caller pretends to be a genuine person or organization, in order to trick a potential victim into revealing sensitive information like ATM card details or downloading malware or funding an unfamiliar account.

According to IBM’s Security X-Force Threat Intelligence Index 2023, 41% of cyberattacks in 2023 were conducted through phishing. The report specifically stated that “for the second year in a row, phishing was the leading infection vector, identified in 41% of incidents. More than half of phishing attacks used spear-phishing attachments.”

3.?????? Baiting:

Just as a kidnapper might dangle candy just to lure a child into his car only to zoom off with the child, likewise is the social engineering technique of baiting.

The attacker lures a victim by waving a valuable offer or strategically dropping an appealing item such as a USB drive in a busy cyber cafe.

A perfect example of the baiting technique is the “Nigerian prince” email scam, also known as the “Nigerian letter” scam.

The victim receives an email from a self-acclaimed royalty who promises, say 45% of the assets in his kingdom in Africa, including piles of gold, valuable tiger skin and maybe priceless elephant tusk. Once the victim is trapped by the offer, the baiter requests the victim’s account details to enable him transfer the funds or demand a sum of money as transfer fees.

A successful baiter either disappears with your transfer fees and the “assets in his kingdom”, or drains the last penny in your bank account.

4.?????? Quid pro quo:

In a Quid pro quo, the social engineer proposes a trade by barter.

Unfortunately, the victim who has been brainwashed, fulfills his part of the barter by sharing confidential information. Upon receiving the information, the social engineer vanishes without fulfilling his part of the bargain.

Unprotected websites and some protected websites, which are often flooded with intrusive and annoying advertisements encourage quid pro quo.

Ads like: “Click to unlock life access”; “pay $5 to play the next level”, etc.

An unsuspecting user who clicks on such harmful ad, risks downloading a malware, and if the user pays for a game’s “live access”, he’s restricted from further accessing the game.

5.?????? Watering-hole attacks:

A watering-hole attack aims at infecting numerous targets at once.

Most times, the malicious actor knows an online platform frequently visited by his victims, such as a Facebook community. Once the malicious actor infects the group or website, it affects subsequent users.

?

QUICK TIPS TO PREVENT SOCIAL ENGINEERING ATTACKS

1.?? Organize regular security training in your organization.

2.?? Be mindful of unfamiliar email notifications.

3.?? Always update your devices and software.

4.?? Employ two-factor authentication, especially when accessing a public network.

5.?? Enforce limited data access mechanisms.

6.?? Invest in firewalls and antivirus technologies.

7.?? Don’t neglect the importance of security response teams–in-house and external.

About Esther Ebubenna Nwadike?

Esther Ebubenna is a freelance writer who writes copies about cybersecurity and general writing tips.

Ebube is also enthusiastic and writes about sports.

As a practising attorney, Ebube prioritizes detailed content research.

?