19. Describe ways a social engineering attack could take place (AC 4.3)

There are numerous different ways a social engineering attack could take place. A common method is baiting, where an attacker tempts the victim with something they know they want or need. Such as free triple A title game download or a USB stick labelled "Final Exam Answers". If the victim clicks the link or plugs in the USB, malware gets installed on their device, potentially stealing their information or taking control of the system. Another method is pretexting, this involves an attacker pretending to be someone in a position of power, like a bank employee or an IT support technician. For example, they might call our victim and say "We've detected unusual activity on you account. To confirm your identity..." If the victim falls for it and provides relevant credentials, the attacker now has access to their account. A very popular way of social engineering is phishing. Where cybercriminals send fake emails in great numbers. This one is more about quantity over quality. They send fake emails that appear to be from trusted companies such Amazon, Paypal, HMRC. The email might say something along the lines of " Your account has been suspended due to suspicious activity. Click here to verify your credentials." The link is a fake login page where the victim fills out their credentials, thinking they averted the crisis but in fact they've just given the attackers exactly what they wanted. Spear Phishing is a more specific way of phishing. Instead of sending millions of emails, spear phishing focuses on one individual. The attacker would research this one individual and make more personalised email, for example pretending to be their company IT department and asking the victim to reset their password through a fake website. Whale phishing is exactly like spear phishing, but the targets are senior level executives (CEOs, CFOs, COOs) political office holders and organisational leaders who can authorise large payments. Basically all the people who have access to more money than the average person. Some attacks don't involve technology at all. Impersonation allows attackers to pretend they're a delivery driver, once in the building, they might walk in to an office claiming they have an urgent package for the finance department. And if no ones watching, or left alone, they could steal documents, plug in malicious USB drive or install malware on a computer. Another technique is called spoofing, in this scenario the attacker might call an employee from a seemingly correct phone number. The attacker has forged it to present a false name and number, pretending they're from the IT department. The attacker would say something like " I'm from IT support, and we need remote access to fix a security issue" If the victim falls for it, the attacker now has access to the network. Tailgating is a very simple physical attack, relying on people's tendency to be polite, especially here in UK. This attack is similar to impersonation, the attacker would be wearing the proper dress code, carrying the appropriate equipment and cup of coffee to add casualness. They would walk up to a security door where a key card or similar is required at the same time as an employee. The employee hold the door open for them, assuming they belong there. Now the attacker has entered a secure area without needing a keycard or password. Shoulder Surfing They most low-tech but very effective method, where an attackers watches someone enter sensitive information. This could be PIN at a cashpoint, password on a laptop in a coffee shop, or a security code on a phone screen. A quick glance is sometimes all it takes and the attacker has all they need to know.