Skip to 0 minutes and 2 secondsHave you ever received an email from your bank or social media asking you to share sensitive information? This is an example of a social engineering cyber attack. It's designed to steal data like passwords and bank details by deceiving the victim into sharing personal information. In this step, you'll learn about three types of social engineering attack, phishing scams, pharming, and name generators.
Skip to 0 minutes and 30 secondsA phishing attack is disguised to look like it comes from a reputable source. The email tricks the victim into giving up valuable data, either asking for it directly or linking to a website where you can input the information. Sophisticated attacks targeting an individual or group are called spear phishing attacks. How can you identify a possible phishing email? Key things to look out for are unexpected emails with requests for information, unknown email addresses. Look out for spelling errors, lots of random letters and numbers, or domain names that you don't recognise. For example, this email appears to be from gov.uk. But upon closer inspection, it's actually from beyond beautiful smilez, who appear to be based in Canada.
Skip to 1 minute and 19 secondsText that appears to be hyperlinked but does not contain a link. Or hyperlinks to an address that contains spelling errors, random characters, or unknown domain names. Hovering your mouse over this link shows us that the link takes us to Caroline Country Homes, not gov.uk.
Skip to 1 minute and 40 secondsGeneric emails that don't address you by name or emails that are missing information that you would expect the sender to know.
Skip to 1 minute and 51 secondsThe second social engineering attack we are going to look at is pharming. A pharming attack is one in which malware redirects you to a malicious version of a website. The malware may have infected your computer or a DNS server where your antivirus software won't detect it. Since you typed in the web address yourself, it can be harder to identify a pharming attack, but there are still clues to look out for. Spelling errors or incorrect logos, broken or missing links, a notification from your browser warning you the web page is insecure. Be sure to confirm a website is secure by looking out for the lock symbol in your web browser's address bar.
Skip to 2 minutes and 40 secondsName generator attacks use an app or social media asking you to combine pieces of information or complete a short quiz to produce a name. For example, your rock star name can be generated if you give and app your name, the year you were born, where you live, and the answers to some personality questions. This attack is trying to find out key pieces of information that help attackers answer the security questions that protect your accounts. To avoid a name generator attack, do not give out any information used to create your passwords or to answer your security questions. And don't share that information publicly on social media.
Skip to 3 minutes and 19 secondsIn the next step, you'll be exploring two types of interactive social engineering, blagging and shouldering.
Automated social engineering
In the previous step, you saw the value of your data. Now, you will learn about social engineering attacks, in which attackers try to steal your data. In this step, you will be introduced to phishing, pharming, and name generator attacks.
What is social engineering?
Social engineering is the name given to the type of attack that deceives victims into sharing valuable personal data.
There are many different types of social engineering attack. In this step, you will learn about three kinds:
- Phishing attacks
- Pharming attacks
- Name generator attacks
A phishing attack is an attack in which the victim receives an email disguised to look like it has come from a reputable source, in order to trick them into giving up valuable data.
The email will either ask for the information directly, or provide a link to another website where the information can be inputted. This attack may also come via phone call or text message.
Phishing emails can be recognised in a number of ways. Key indicators to look out for include:
- Any unexpected email with a request for information
- Sender email addresses that contain spelling errors, lots of random numbers and letters, and/or domain names that you don’t recognise
- Suspicious hyperlinks:
- Text that appears to be hyperlinked but does not contain a link
- Text that is hyperlinked to a web address that contains spelling errors and/or lots of random numbers and letters
- Text that is hyperlinked to a domain name that you don’t recognise and/or isn’t connected to the email sender
- Generic emails that don’t address you by name or contain any personal information that you would expect the sender to know
Some phishing attacks are more sophisticated and target specific individuals or groups of people, for example, by pretending to be from a company that the person has an account with. This is called spear phishing.
To avoid phishing attacks, you should not fill out forms or click on links in emails that you are not expecting.
A pharming attack is an attack in which malware redirects the victim to a malicious version of a website. The malware could infect the victim’s computer or the DNS server (the database that allows your browser to find the website you’re visiting — find out more about these in our networking course). Then, when the victim enters a web address into their browser, they visit a website controlled by the attacker, rather than the legitimate website. The attacker can then collect any data that the victim inputs into the website. Links in phishing emails may also redirect victims to pharming websites.
As with phishing attacks, pharming attacks can be identified from aspects of the website that seem out of place or incorrect. For example, any of the following could indicate a pharming attack:
- Spelling errors or incorrect logos
- Broken or missing links
- A notification from your browser warning you that the webpage is insecure
- The lock symbol that your browser uses to confirm that a webpage is secure is missing
If you suspect that a website is malicious, you should close your browser and run up-to-date antivirus software on your computer, then reload the page to see if it has changed.
Name generator attacks
A name generator attack is an attack in which the victim is asked in an app or social media post to combine a few pieces of information or complete a short quiz to produce a name.
Attackers do this to find out key pieces of information that can help them to answer the security questions that protect people’s accounts.
To protect yourself from name generator attacks, you should avoid providing apps with the following pieces of information or posting this information publicly on social media sites:
- Your mother’s maiden name
- Names of current or previous pets
- Previous or current addresses
- Your age or birthdate
- Your lucky number
- Any of your favourite things (such as your favourite place or author)
- Any information that you know you have used to create a password or set up a security question
In the next step, you will learn about two types of social engineering attack that require the attacker to interact with the victim more personally.
- What are social engineering attacks used for?
- Why do you think social engineering attacks are effective?
- Of the three types of social engineering attack discussed, which do you think is the most likely to be successful?
Share your answers in the comments