Tricking someone into doing something has been around for ages, but the word social engineering was brought forward in the 90s. The cybercriminals these days aim to steal a password install malware by using old and new tactics.
Here are some of the most common social engineering tactics used by phone, email, and Web.
Ten degrees of separation
The goal of a social engineer over the telephone is to convince his target that he is a fellow employee or a trusted outside authority as law enforcement or an auditor. The attacker will email or call a different person to gather information about their target.
The employee should be paranoid because you never know what a person wants from you. Every employee in the firm from the person at the gate and one at the reception should be trained about social engineering. The attackers might be ten moves away from the person they want to get.
Learning your corporate language
The cybercriminal discovers the corporate language of a firm before communicating with anyone. The social engineers use the corporate language to gather information as the employee’s trust and share information when one is using the language you understand and are familiar with.
Borrowing your ‘hold’ music
One of the common tactics social engineers use is using the hold music which a company uses when the callers are left on waiting. The hacker records the music and uses it to gain the trust of the victim. After talking to the victim, the hackers says “oh” there is another call, so you have to hold for a while. The victim, after hearing the hold music, trusts him and shares sensitive data.
Phone-number spoofing
One of the common social engineering tactics is using phone-number spoofing. The cyber-criminal will be sitting in his apartment while calling you, and the number which appears on your phone will show up to be from the company. In this case, the employees get fooled and share sensitive data with them.
Abusing faith in social networking sites
Social engineers also use social media websites like Facebook, LinkedIn, and other popular sites to target the victim. The victim receives an email which suggests clicking on the link to update their information as the social media is doing maintenance. With clicking on the site, your information goes to the wrong hands. Employees should type the web address manually to avoid such malicious links.