Please enable JavaScript.
Coggle requires JavaScript to display documents.
Social Engineering attacks take two primary forms: convincing someone to…
Social Engineering attacks take two primary forms: convincing someone to perform an unauthorized operation or convincing someone to reveal confidential information.
Protection Methods
-
-
Defining restricted information that is never communicated over the phone or through plaintext communications such as standard email
Always verifying the credentials of a repair person and verifying that a real service call was placed by authorized personnel
Never following the instructions of an email without verifying the information with at least two independent and trusted sources
Always erring on the side of caution when dealing with anyone you don't know or recognize, whether in person, over the phone, or over the Internet/network
Authority, most people are likely to respond to authority with obedience.
Intimidation uses authority, confidence, or even the threat of harm to motivate someone to follow orders or instructions.
Consensus, to mimic what others are doing or are perceived as having done in the past. An example is an attacker claiming that a worker who is currently out of the office promised a large discount on a purchase and that the transaction must occur now with you as the salesperson.
-
Familiarity or liking, as a social engineering principle, attempts to exploit a person's native trust in that which is familiar. The attacker often tries to appear to have a common contact or relationship with the target.
Trust as a social engineering principle involves an attacker working to develop a relationship with a victim.
-
Eliciting information is the activity of gathering or collecting information from systems or people. In the context of social engineering, it is used as a research method in order to craft a more effective pretext. A pretext is a false statement crafted to sound believable in order to convince you to act or respond in favor of the attacker.
Prepending is the adding of a term, expression, or phrase to the beginning or header of some other communication. "RE: or FW:"
Phishing is a form of social engineering attack focused on stealing credentials or identity information from any potential target.
Spear phishing is a more targeted form of phishing where the message is crafted and directed specifically to a group of individuals. Often, attackers use a stolen customer database to send false messages crafted to seem like a communication from the compromised business but with falsified source addresses and incorrect URI/URLs.
-
A hoax can be an email that proclaims some imminent threat is spreading across the Internet and that you must perform certain tasks in order to protect yourself.
Impersonation is the act of taking on the identity of someone else. Impersonation can also be known as masquerading, spoofing, and even identity fraud. In some circumstances, impersonation is defined as a more sophisticated and complex attack, whereas masquerading is amateurish and simpler.
Tailgating occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker but without their knowledge.
Piggybacking occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker by tricking the victim into providing consent. This could happen when the intruder feigns the need for assistance by holding a large box or lots of paperwork and asks someone to “hold the door.” The goal of the intruder is to distract the victim while the attacker gains access in order to prevent the victim from realizing that the attacker did not provide their own credentials.
Baiting is when the attacker drops USB sticks, optical discs, or even wallets in a location where a worker is likely to encounter it. The hope is the worker will plug the USB drive or insert the disc into a work computer where the malware will auto-infect the system.
Dumpster diving, all documents should be shredded and/or incinerated before being discarded. Secure disposal technique or service. Secure storage media disposal often includes incineration, shredding, or chipping.
-
You can consider identity theft and identity fraud to be a form of spoofing. Spoofing is any action to hide a valid identity, often by taking on the identity of something else.
Typosquatting is a practice employed to capture and redirect traffic when a user mistypes the domain name or IP address of an intended resource.
-
Clickjacking is a means to redirect a user's click or selection on a web page to an alternate, often malicious target instead of the intended and desired location.
-