Understanding cybersecurity means more than just understanding computers. It also means understanding the social means by which cybercriminals gain access to information. This process is known as social engineering, and it involves a variety of tactics that exploit people instead of machines, but that produce the same results—access to the information needed to breach a computer system’s security.
Individual Social Operations Used by Criminals
There are a few easily identifiable methods used by cybercriminals to get information from human sources. Some of them rely on the user’s discomfort with computers and willingness to trust experts. Others rely on exploiting natural social trends, like the tendency to assume people who act like they belong someplace actually do belong there.
- Phishing is when a criminal pretends to be a representative of an organization in order to get people to provide their login information or other credentials, giving the hacker access to their accounts. When it gets the credentials of officers and other important members of an organization, it can jeopardize more than just one account.
- Phone Contact: Social engineers also exploit the chain of command in organizations to get access. This can be done in a lot of ways, including pretending to be a customer and interrogating company representatives to learn about protocols and impersonating employees or officers of a company to get help connecting to the system.
- False Fronts: Similar to phishing, this operation involves pretending to be a representative of an organization and requiring certain actions be taken to prevent account closure or avoid penalties. They are less common than phishing attacks but might include instructions like wiring money or making a payment. Fake antivirus packages often use these to disguise ransomware operations.
All these tactics are in addition to the regular social tools used by con artists of all stripes, including blackmail, extortion, and outright in-person deception.
Mass Social Operations
Social engineering can also be carried out on a large scale, through the exploitation of online trends to either spread disinformation or steal user information. Getting users to volunteer access to their account to an app while giving away more identifying information that could be used to guess account security verification items like answers to secret questions is as simple as writing an engaging quiz and employing the right promotional means to make it go viral. Riding on celebrity news with false information or pages that look like media reporting on it but deliver exploits is also a popular way to carry out large-scale social operations that don’t require an individual target.
The goal of large-scale engineering is different from small-scale. Typically, the smaller operations seek to gain access to individual credentials or corporate systems that can provide lists of account information. Large-scale operations look to shift human behavior in order to exploit systems in different ways, like identifying targets for misinformation or infecting a large number of systems to create botnets for distributed computing.