Beware of Being Tricked! Social Engineering Techniques and Countermeasures

As technology evolves, so do cybersecurity threats.

Among them, “social engineering,” which cleverly exploits human psychology, is attracting attention as a dangerous attack method that can slip through even the latest security measures.

This article will explain in detail the reality of social engineering and the effective countermeasures that each of us can take.

What is Social Engineering?
Main Methods of Social Engineering
1. Impersonation
2. Spear Phishing
3. Shoulder Hacking
4. Trashing
5. SNS Abuse
Common Examples of Damage
1. Information Leak at the Japan Pension Service
2. Cryptocurrency Leak from Cryptocurrency Exchange
Effective Countermeasures Against Social Engineering Attacks
1. Formulation of Corporate Guidelines
2. Introduction of Security Software
3. Entry/Exit Management, Information Management on Desks
4. Thorough PC and Smartphone Locking
5. Creation of SNS Usage Rules
Summary

1. What is Social Engineering?

Social engineering is a technique that uses human psychological vulnerabilities and behavioral patterns, rather than technical means, to illegally obtain confidential information or infiltrate systems.

Attackers skillfully manipulate human emotions such as trust, compassion, and fear to extract information from victims or make them take illegal actions.

The particular danger of this method is that it bypasses the latest security systems and advanced technical measures and directly targets the most vulnerable part: the “human.”

2. Main Methods of Social Engineering

Social engineering techniques vary widely. Here are some of the most common and dangerous methods.

Understanding these methods will increase your awareness of potential threats and be the first step in protecting yourself and your organization.

2-1. Impersonation

Impersonation is, as the name suggests, a method in which an attacker impersonates a trusted person or organization to extract information from the victim.

For example, consider the following methods:

Posing as an IT department representative and asking for passwords under the guise of “system updates.”
Impersonating a boss or executive of a business partner and requesting urgent transfers or transmission of confidential information by email.
Making phone calls posing as a bank employee and asking for account information or credit card numbers.

Attackers use social status and position to put psychological pressure on victims to try to extract information that they would not normally disclose.

2-2. Spear Phishing

Spear phishing is a phishing scam that targets specific individuals or groups. “Phishing” is an attack that sets traps for an unspecified number of people, as typified by phishing emails, but spear phishing differs in that it targets specific individuals, companies, or organizations.

For example, consider the following methods:

Sending sophisticated fake emails disguised as business partners and infecting them with malware by opening attached files.
Sending emails in the name of a real boss and directing them to a fake login page to steal authentication information.
Inducing people to enter personal information on fake news sites with topics of interest (e.g., the latest information on the coronavirus).

In this way, spear phishing is characterized by the fact that it sets traps in a sophisticated manner tailored to the target, making it difficult to detect.

Attackers collect information about the target in advance and create highly credible emails.

2-3. Shoulder Hacking

Shoulder hacking is a method of stealing information by peeking at other people’s screens or documents in offices or public places.

For example, consider the following methods:

Observing a colleague entering a password in the office and guessing the key input.
Peeking at a neighboring passenger’s smartphone screen on the train and stealing SNS login information.
Stealing the contents of confidential documents from the screen of a person’s laptop while working at a cafe.

This is an attack that takes advantage of gaps in physical security.

It is carried out by targeting situations where the victim is unwary of their surroundings.

2-4. Trashing

Trashing is a word that means rummaging through trash, and refers to the practice of searching for documents or data containing confidential information from the trash discarded by companies or individuals.

Specific examples include the following:

Recovering confidential documents that have not been shredded from office trash cans.
Extracting information from discarded old hard drives using data recovery software.
Finding ATM statements and credit card bills from household garbage bags.

Documents and electronic devices that have not been properly disposed of are targeted.

Attackers may combine this information to create a detailed profile of an individual or organization and use it for further attacks.

2-5. SNS Abuse

As the name suggests, this is a method of collecting and analyzing information available from SNS, grasping the target’s personal information and behavioral patterns, and then launching an attack.

For example, consider the following methods:

Using career history and relationship information published on SNS to create highly credible impersonation emails.
Looking at posts about being on vacation and targeting the empty house for intrusion.
Sending friend requests from fake accounts and collecting private information after approval.

Be careful about excessive disclosure of information and friend requests from fake accounts.

Attackers combine information on SNS to launch more effective attacks.

These methods may be used alone, but in many cases, multiple methods are used in combination. For example, collecting information from SNS and creating spear phishing emails based on that information. Therefore, not only one countermeasure, but also a comprehensive security awareness and countermeasures are important.

3. Common Examples of Damage

Let’s check out some examples of damage caused by social engineering attacks.

Understanding these examples should help you understand the realistic threat of social engineering attacks and increase your awareness of defense for yourself and your organization.

3-1. Information Leak at the Japan Pension Service

In 2015, in the incident in which approximately 1.25 million pieces of personal information were leaked from the Japan Pension Service, targeted email attacks (spear phishing) were used.

An employee opened an attachment to a suspicious email, which led to infection with malware and a large-scale information leak.

This incident revealed that even public institutions are at risk of cyberattacks, and triggered increased social interest in information security.

3-2. Cryptocurrency Leak from Cryptocurrency Exchange

In 2018, approximately 58 billion yen worth of virtual currency NEM (Nem) was illegally leaked from Coincheck, a major Japanese cryptocurrency exchange.

In this incident, it is said that the cause was that an employee’s computer was infected with malware.

It is highly likely that social engineering attacks such as phishing emails were used to infiltrate the company network.

In the unlikely event that malware (viruses, etc.) is discovered, an automatic notification will be sent to the administrator, preventing oversight of virus infections.

In addition, if there are functions such as personal information and confidential data protection, prevention of data theft via USB memory, and control of screen captures, unnecessary information leaks can be prevented.

As a result, the Financial Services Agency strengthened its supervision of cryptocurrency exchange operators and demanded thorough security measures.

This incident exposed the security risks of the rapidly growing cryptocurrency industry and served as an opportunity to strongly recognize the need for appropriate regulations and security measures.

4. Effective Countermeasures Against Social Engineering Attacks

Social engineering attacks exploit human psychology, making them difficult to completely prevent. However, taking appropriate measures can significantly reduce the risk of damage.

Let’s check out the specific measures.

4-1. Formulation of Corporate Guidelines

It is important to clearly define information security policies and codes of conduct for employees and to conduct regular education and training. When each employee understands the importance of security and takes appropriate actions, the overall security level of the organization will improve.

In particular, it is effective to focus on educating employees on how to deal with situations that they are likely to encounter on a daily basis, such as how to respond to suspicious emails and how to verify identity over the phone.

4-2. Introduction of Security Software

By introducing the latest antivirus software and firewalls and keeping them up to date at all times, you can prevent malware intrusion and unauthorized access.

By thoroughly utilizing the latest technologies and tools, it is possible to reduce the risk of human error and enable early detection and response to attacks. In particular, it is important to always maintain the latest countermeasures against new types of malware and advanced attacks.

4-3. Entry/Exit Management, Information Management on Desks

Strictly manage entry and exit to the office and restrict access by unauthorized persons. Installing security cameras in important locations is also effective. In addition, thoroughly implement a clean desk policy and be careful not to leave confidential information on your desk.

By strengthening physical security in this way, the risk of internal crime and unauthorized access from outside can be reduced. It also leads to improved employee awareness of information security.

4-4. Thorough PC and Smartphone Locking

When using a PC, it is important to use a wire lock and make it mandatory to lock the PC whenever you leave your seat.

This applies not only to PCs but also to smartphones, but always keep your OS and apps up to date, and make use of biometric authentication such as fingerprint authentication and facial recognition. Also, introduce multi-factor authentication whenever possible.

4-5. Creation of SNS Usage Rules

Create guidelines for corporate and individual SNS use, avoid excessive disclosure of information, and encourage caution when interacting with suspicious accounts.

SNS is a place where information close to an individual’s private information is gathered, making it a great source of information for attackers.

By setting appropriate usage rules, the risk of information leakage can be reduced and the thread of social engineering attacks can be reduced.

Summary

Social engineering is a sophisticated attack method that exploits human psychology and cannot be completely prevented by technical measures alone.

In order to prevent this damage, it is essential to improve individual awareness and take organization-wide initiatives. It is important to compare ease of use, functionality, cost performance, etc., and select a service that suits the size and needs of the company.

It is important to always be vigilant, educate employees, and introduce appropriate security measures to improve the overall security level of the organization.

Why not review your organization’s security measures with reference to this article?

globalsupport@jiran.com