Social Engineering - The Cybercriminal's Psychology Game

  • 18th May 2021
  • Michelle Pace
  • Cyber Crime
Social Engineering - The Cybercriminal's Psychology Game

Social Engineering- The Cybercriminal’s Psychology Game

Social engineering has been around since, well, since humans interacted. It is a form of psychological manipulation that manages to convince someone to do something that is not always in their best interests.

Confidence tricksters, aka conmen, have been around for hundreds of years using these tactics, whether it be stealing a watch or taking money from the victims. It may masquerade as an advert for a beauty product that implies you’ll not be beautiful enough until you buy it (and you impart with your cash in the process!) There are many more ways in which this technique can be employed.

Such practices are becoming more common and more nefarious with most of the credit going to cybercriminals. They will go after the weakest of two options - the human rather than the computer. It is easier to convince someone to hand over their personal data than it is to hack into a system by preying on someone’s natural trust.

Then there is the two-pronged attack, a combination of social engineering and adding malicious software into the mix. 

 

Clickbait and click fraud

We have all clicked a link that has taken us to another page, it could be a cute kitten and puppy, or a ‘how-to’ video. If you get straight to that video, that has been simple enticement, no deception. How many have clicked on a link where the proffered content hasn’t matched what you were consequently taken to? That is clickbait. You have been offered the bait on the line and swallowed it. 

Clickbait is all about getting your attention. Cybercriminals work on the fact that the majority of us are curious in the least and others live for drama and sensationalisation and providing links to such ‘interests’ are, more often than not, clicked on. Some are safe to do so, they are genuinely looking for followers etc, but some are not as delightful.

Click fraud is more misleading than clickbait. You see a link of interest, but this link will take you somewhere far different than you thought; it is deceitful, misleading and fraudulent. Much of the click fraud will ultimately end up infecting your devices with malware.

 

Watering hole attacks

Watering hole attacks derive their name from predators in the natural world, lurking at such places in order to attack their coveted prey.

These attacks are less common but are harder to detect due to the nature of how they are executed. They aim for high-security organisations by using lower security staff, although they can be performed on a personal basis too.

Typically, the attackers will identify a website regularly used by the victim or a target within an organisation and will infect that site and more if possible. The attacker may find weaknesses in the cybersecurity to deliver such malware, which in turn may identify further weaknesses too. Targets are generally not aware that this has happened and the attackers gain access to the network.

Browsing habits can tell a cybercriminal a lot about an individual. Advertisers know this too- you’ve just been looking online at a product only to see it advertised on Facebook five minutes later! Again, on a personal level, a popular site can be infected with malware by a criminal and this, in turn, will infect a lot of devices that visit the site.

Phishing

Phishing relies on sending a fake email that convinces you to hand over your personal information and data. Phishing emails are cleverly disguised and appear to have been sent by a reputable company, such as your bank, PayPal, or HMRC. Such deceptions can also take the form of an email telling you that you won a significant amount of money or goods such as a television.

Cybercriminals are sophisticated these days, they may know of something that was personal and not in the public domain, therefore, you believe the content of the email- you click on the link and enter all details that are asked of you. The email contained your name and user name,  and one or two other bits of info, so it must be legit, yes? No. Now the cybercriminal has all they need to hack accounts that belong to you and sites that you use. Let’s be honest - many of us also use the same password across a multitude of sites. 

Regardless of how much security you have on your devices, it won’t stop you from trusting the wrong person. If you let that person in, you might as well not have any security. 

Ransomware

Ransomware is a form of malware that infects your computer by denying you any access to your files. It can damage your computer, encrypt sensitive and important data and steal such data. Cybercriminals demand a ransom, ranging in amounts before you are told how to regain access.

This can happen to anyone- personal or to an organisation. It can be very lucrative for attackers because people panic and pay up to have their data returned to them. For those that don’t, additional scare tactics are employed, such as emails pertaining to the FBI informing you that you have been involved in illegal activity. 

Some threats have even been issued telling the victim that they have found child pornography on their device and will inform everyone if they don’t pay up. They back it up with a photograph, that, although the victim has never seen, will induce enough panic that they pay the ransom.

Ransomware is easy to develop and hard to trace and plays on people’s fears and panic when faced with such formal-looking accusations and has sadly even led to suicides due to the nature of the threats by some cybercriminals.

Using high-quality antivirus software, such as McAfee Total Protection, can prevent such attacks from taking place. 

 

Scareware/ fraudware

A few of us will have seen a form of scareware- a pop-up ad banner informing us that our device is infected and to click on the ad for help. Clicking on such an ad is a sure-fire way to get a virus on your computer or tablet. They can download malicious software or direct you to a malicious site.

 

Pretexting

Pretexting involves a cybercriminal aiming to build false trust with someone, either on a personal level or by pretending to be someone in your organisation, such as a colleague working in the finance department. Once trust has been established, they will begin to ask for certain bits of information about themselves or colleagues. This will be collected until there is enough to steal an identity or banking details which can be sold on the dark web or used to commit fraud.

Pretexting doesn’t employ the fear and urgency that phishing and ransomware uses. Instead, it relies on time and building confidence with the victim, enabling the attacker to build a plausible scenario that leaves no doubt.

 

Staying safe

  • Make sure that you have the best cybersecurity you can get. 
  • Use all of the privacy settings available to you, whether on social media or within your browser. 
  • Use common sense- if it seems too good to be true, it probably is. If a friend sends a suspicious unexpected email, contact them to ask if they sent it before you open it.
  • Use different passwords for each site and membership. If you can’t remember them, use a password manager, such as the one that comes with McAfee Total Protection.
  • Don’t let an email prey on your generosity if asking for financial help for a cause or disaster, you can be scammed out of your money and the cause not see a penny of it. 
  • If an email asks you to verify any information, don’t do it. Find the company in question by using a search engine and contact them to see if it’s genuine.
  • It’s highly unlikely that you have won a lottery in Spain or a brand new 65” TV, so don’t hand over any personal details in the hope of seeing such winnings. 
  • Take your time- scammers rely on panic and acting before you think. Again, contact any relevant companies by using a search, to ascertain the truth of any email. 
  • Set all programs to auto-update if you can. Any updates will contain patches for known security issues etc. If you cannot use auto-update, ensure you manually update those devices to keep abreast with security.

Regularly sign into your Notty Account. You will receive alerts about any personal details appearing on the dark web, social media scores and a special price for McAfee Total Protection and CyberCareDNA together.