Social Engineering
While discussing security, it is worth mentioning the human factor and how it is exploited using social engineering techniques.
Social engineering takes advantage of persuasion techniques, that we can analyze thanks to the book “Influence” by Robert Cialdini:
- Reciprocity: when you receive a gift you are more likely to respond in kind
- Scarcity: when a product is scarce you are more likely to want it
- Authority: people are more likely to follow indications by an authority figure such as a celebrity or a government representative
- Consistency: if you can get someone to agree to something small first, then they’ll feel pressured to agree to something bigger
- Liking: you are more likely to follow someone you like
- Consensus: if many people do something, why don’t you?
Many types of attacks can be created using a combination of these techniques. The most common ones used today include:
- PhishingPhishing is a type of cyber attack that attempts to trick people into revealing sensitive information, such as passwords or credit card numbers. It usually involves sending an email or text message that appears to be from a legitimate source, but contains malicious links or attachments. The goal of the attacker is to gain access to the victim's personal data and use it for their own gain. Phishing attacks can be difficult to detect and should be taken seriously by all users., either in mass or spear phishingPhishing is a type of cyber attack that attempts to trick people into revealing sensitive information, such as passwords or credit card numbers. It usually involves sending an email or text message that appears to be from a legitimate source, but contains malicious links or attachments. The goal of the attacker is to gain access to the victim's personal data and use it for their own gain. Phishing attacks can be difficult to detect and should be taken seriously by all users. focused on small groups or individuals, taking place through any communication channel such as email, messaging apps, social media, SMS, phone calls etc.
- Trojans sent as attachments through emails that look like sent by family members, friends, or trusted parties
- Tech support scams, typically malvertising visible on malicious websites that try to convince you that your computer is infected and you need to pay to “fix” it
With the advent of AI tools like deep fakes and voice imitation, these types of attacks could become more convincing and therefore more widespread.
Social engineering can become difficult to avoid when the attacker takes advantage of resources already exploited. For example, if an attacker manages to use SSRFServer Side Request Forgery (SSRF) is a type of attack that takes advantage of user submitted URLs that are not validated before being followed in the server code to send an email as from the CEO using the official company server, it’s more likely that an employee will follow the instructions.