Social engineering

Cybersecurity courses

Students Teachers Employees

In this module, we will get acquainted with a type of security attack that unfortunately uses one of the most sensitive methods for its goals - psychological manipulation, exploiting our natural human weaknesses such as curiosity, fear, or inattention. Through this type of manipulation, an attacker can perfectly deceive their victim, who may then make a security mistake and provide the attacker with information in the form of sensitive data and access rights, or even monetary amounts. Read the stories of people who have experienced some of the most well-known and common social engineering techniques firsthand. Don't worry - we won't just scare you, in each story you will also learn the resolution and how to avoid similar frightening scenarios. Through these fictional stories, we mainly want to show how inventive and insidious attackers in cyberspace can be, and what they are willing to use to achieve their goal.

Baiting
Blagging
Phishing
Pharming
Spear-Phishing
Smishing
Vishing
Pretexting
Quid Pro Quo
Shoulder-Surfing
Sniffing
Tailgating
Trashing

Baiting

Marie, 42 years old
HEAD OF UNIVERSITY LIBRARY

Marie is considered by her colleagues to be a responsible head of the university library. No wonder, she has been in this position for ten years. One day, on her way to work, Marie finds a bright yellow flash drive labeled "Teambuilding Photos" in the parking lot. Marie examines the flash drive for a moment and finally decides to take it. After all, it is lying in front of the building where she works, and someone might be missing it. She takes it to the reception, where the owner will surely claim it. But when she arrives at her office, Marie can't resist. What kind of teambuilding was it? And what interesting photos might she find there? She will return the flash drive, but only after she checks the contents herself. After all, it belongs to her colleagues, and if not, at least she will know that it is not worth handing the drive to the reception and will come up with another solution. She plugs the medium into her work computer and opens the folder. However, she finds no photos, just some nonsensical files. The photos must have been deleted, she thinks. Too bad. She removes the drive and takes it to the building's reception with the intention of reporting the find.

At this moment, Marie has no idea that she has become a victim of so-called Baiting - a social engineering method that exploits our natural curiosity. The attacker's goal in this case was to motivate one of the employees with an enticing label on the drive to plug the medium into their workstation. While Marie was looking for photos, malicious software was already running behind her back, which may now have control over her computer. What will it do?

Marie is lucky - she has a fully updated antivirus program installed on her work computer, which deals with the malicious software. However, it does not always end this way.

Never plug or insert media (flash drives, SD cards...) into your work or personal devices if you are unsure of their origin and content. We also recommend adequately securing your devices.

Blagging

Dominika, 32 years old
MARKETING SPECIALIST

"Hi Domi! Please, I'm in big trouble! I went on a business trip and my wallet was stolen, I have no way to get back home. Could you please send me money for a ticket through this link? Please, save me! Petr."

This email was received by the main character of the story about the technique known as Blagging. Dominika quickly read the message that her colleague was in trouble and, of course, wanted to help immediately - Petr would do the same for her, right? In response to the urgent situation, she did not notice that the email came from a completely different address that did not match Petr's work or personal address. If Dominika had sent the money, she would have become a victim of one of the social engineering techniques. A method in which the attacker tries to manipulate the victim with a very engaging and urgent story.

In Blagging, there is often a request for a certain amount of money. The attack in our story was so sophisticated that the attacker used the real identity of Dominika's colleague. How did he know that Petr really went on a business trip? After all, he has many other social engineering techniques at his disposal to obtain similar information! What if Petr, for example, publicly shared a photo from abroad on social media? The attacker then just needs to come up with an engaging story and fake an email address. But how to defend against Blagging?

If you receive a message like Dominika's, try to verify the sender's address first. If the sender's address does not match the format of your university's addresses, it's time to be alert.

If you suspect anything, contact the person through another communication channel, such as a personal email address, social media, or simply call the person. If it is confirmed that it is a fraud, or if the person does not respond for a while, it is better to report the entire incident to competent persons (IT technicians, supervisors).

Phishing

Zdeněk, 38 years old
FRENCH TEACHER

In his story, Zdeněk faces the most widespread type of social engineering attack - phishing. Phishing usually takes the form of sending mass fraudulent emails. These fraudulent emails try to extract various login credentials from the user. In personal life, it can be the username and password for a bank account, at work, it can be access to work applications and systems. In a university environment, it is most often access to the information system. But what if the attackers change tactics and start targeting your Microsoft 365 account? Zdeněk encountered such an attempt.

Zdeněk received an email on Friday afternoon offering excellent language courses with advantageous discounts in the attached document. He gets excited and clicks on the attached file. Suddenly, a window pops up asking for permission to access Zdeněk's Microsoft 365 account data. It requests access to the calendar, contacts, and other items. By agreeing to these requests, Zdeněk would give the attackers full access to his Microsoft 365 account. What should be suspicious to Zdeněk and you, the reader, at first glance?

When accessing any file, Microsoft 365 will never ask you to confirm access to account data (whether it's a contact list, calendar changes, or anything else).

Each application should always request access only to items related to its primary activity. If Zdeněk is opening a link to a document in Word from Microsoft 365, why would the application want access to his calendar or read all his files?

Always carefully read what permissions you are giving to the application, even if you think you "know it like the back of your hand." If the requests seem suspicious to you, or if you fall for phishing (which will always manifest sooner or later), report it.

Pharming

Štěpánka, 29 years old
PhD STUDENT

Although pharming may seem similar to phishing in its consequences, it is less common in real life because it requires more work from the attacker. However, this does not mean that we should not be cautious, and the same goes for PhD student Štěpánka.

Like every workday morning, Štěpánka started her day by logging into the Information System by clicking on the tab in her browser's toolbar. She has had this bookmark in her browser for years, so she did not notice the strange URL in the address bar, which slightly differed from the usual one, and unknowingly handed over her credentials to the attacker. How could this happen? The attacker might have compromised the university's DNS server and redirected Štěpánka to an almost identical copy of the login page. Not every pharming attack needs to be this extensive, and if the attacker, for example, was targeting Štěpánka's access to her bank account, they could have used phishing to plant malicious software that would display an almost identical copy of the login page the next time she accessed her online banking.

So what should we (and Štěpánka) do to prevent handing over our credentials? Besides following the principles to prevent phishing, it is good to check the address bar to ensure we are on a legitimate site and not neglect regular antivirus checks. Where possible, it is also worth setting up two-factor authentication when logging into a web application.

Spear-Phishing

Jana, 24 years old
ECONOMIST

Spear-phishing can be called the more sophisticated sibling of phishing techniques. What makes it insidious? This is experienced by the novice economist Jana. Each of us belongs to a certain group at work with specific rights and access. The most commonly targeted group by attackers are employees who handle financial resources and highly sensitive data. And Jana falls into this group.

Her work email inbox receives dozens of messages daily. Today, among them was a message titled "November Payroll Schedule." The brief message, besides this description, also contained a link that prompted to open the document at the given address. After clicking the link, a textbook phishing page appeared on Jana's screen, trying to mimic the single sign-on to the university system. If Jana had filled out this form, her login credentials would have gone directly into the hands of the attacker, who could misuse them at will.

Why did Jana feel the urge to open this email? It was directly related to her job, and that's what the attackers were counting on. Moreover, it was well camouflaged among other work emails. What could Jana have done to ensure something was wrong? And what can you follow?

Despite the seemingly authentic visual identity, always carefully examine the address bar. Is everything in order? In the daily fast work routine, there is not much time to check every detail in an email or on a website. However, checking the address bar always pays off.

There are many attempts at spear-phishing attacks. The most insidious ones are known as business email compromise (BEC). BEC attacks are characterized by aiming to obtain sensitive information from individuals who, within the company's hierarchy, most often deal with money-related activities. In this case, attackers pose as significant company representatives and send fraudulent emails to employees under the guise of superiors, requesting payment of overdue invoices or quick money transfers, etc. Perpetrators often conduct a substantial amount of research and carefully identify roles within the company. They find out who the accountants, managers, and directors are in the company. They do everything to ensure that the content of the sent emails reflects the environment of the targeted institution as much as possible.

Smishing

Radek, 47 years old
STUDENT AFFAIRS OFFICER

Radek has been working as a student affairs officer at the university for over 17 years, during which time he has learned well that sometimes emails with malicious intent land in his inbox. Therefore, he is careful and diligently reports them. What Radek does not know is that attackers evolve, and their attacks can also target other devices. This morning, Radek received an SMS on his work phone stating that the university's COVID traffic light is turning red and that he should urgently log into the university's Information System through the attached link and immediately inform all his colleagues at the workplace about the situation. And what happens in such a situation? Exactly the same as with a fraudulent phishing email, Radek voluntarily handed over his credentials to the attackers and even spread the alarming message among his colleagues.

This type of attack is called Smishing. As the name suggests, it is phishing carried out via SMS. And it can come in a much more attractive form, such as a delivery SMS from a food delivery service or as a mobile phone prize. How to defend against this social engineering method?

Do not provide your phone numbers in publicly accessible places unless necessary. Do not reply to incoming SMS messages and definitely do not call the given number.

Do not click on the attached link in SMS messages before verifying the sender's identity, if possible. Verification can be done through social networks, or you can try entering the phone number into a browser and reading reviews.

If you suspect that the incoming message does not have the purest intentions, do not hesitate to report it to your employer, and in the case of the university, to a competent person or directly to the cybersecurity team.

Vishing

Markéta, 36 years old
MEMBER OF A CHARITABLE FOUNDATION

After a long workday, Markéta was finally looking forward to a peaceful moment of reading before bed. At that moment, her phone started buzzing with an unknown number displayed on the screen. Annoyed, Markéta answered the call, but before she could firmly explain that it is very rude to call anyone at such a late hour, a professional-sounding voice introduced himself and began to pressure Markéta quickly. He claimed that the bank account of the charitable foundation she manages had been compromised, it was a major security issue, and to secure the account, they needed Markéta's immediate cooperation, ideally to provide the login details to the bank account, including the PIN.

Markéta was naturally confused and scared for a moment, but she quickly realized that it must be a fraudulent call; after all, login details are never shared with anyone, let alone the PIN. Markéta was right; she had become a victim of Vishing - voice-phishing, a technique similar to phishing but using a fraudulent call instead of an email to convince the victim.

As soon as Markéta realized the situation, she did not provide any details to the fraudster and quickly ended the call. What should we and Markéta do next in a similar situation? Ideally, note the number from which the call was made, the time of the call, and what information the attacker wanted. With this information, it is advisable to contact the police, who can significantly help in apprehending the perpetrator and preventing further similar attempts, which may not end as well as Markéta's story.

Pretexting

Lukáš, 19 years old
NEW STUDENT

Starting university can be extremely stressful, and this is how Lukáš, who is starting his first year, perceives it. Every day he receives emails and notifications informing him about more or less important events from the academic world, his inbox gradually fills with all sorts of invitations, instructions, and requests. So when Lukáš received an email in which the "university IT support" asked him to send his password to the information system to verify the student's identity, he initially did not pay much attention to it, he had many similar concerns and just added it to the imaginary pile of tasks that needed to be completed.

However, when he got to the request in more detail, he realized that sending access details to an unknown person, even if they sign as a system administrator, via email is not a usual procedure in these situations. Therefore, he examined the message more closely and, when comparing it with other emails from the university, found that the sender's address had a different format than usual, so he decided not to send his details.

This decision protected Lukáš from a social engineering technique called Pretexting. It involves the attacker inventing a convincing story or scenario. They then use it when communicating with the targeted victim, trying to persuade them to cooperate and, for example, as in Lukáš's case, send their access details to various accounts.

Pretexting can also occur in a physical environment. You come to a lecture, sit in the back rows, and open your laptop. After a while, a student you don't know personally - but who apparently attends the same course - sits next to you. She tries to log into the eduroam network for a while and then turns to you, saying she can't do it and asks if you could try logging in on her computer with your details. Will you help her?

It is important to remember that we should never send or disclose our login details and passwords to anyone by any means of communication. It is also helpful to check the sender's address in the email header whenever there is suspicion of foul play.

Quid Pro Quo

Tereza, 26 years old
LAB TECHNICIAN

Quid pro quo is a technique that can easily find its place not only in an academic environment, and its consequences were almost experienced by lab technician Tereza. Tereza spends a lot of time in the laboratory and is very dedicated to her experiments and projects. She carefully stores data related to them and ensures their security, as they often involve sensitive information. One day, however, she received a message in which a friendly research center asked her to send data from her research in exchange for a monetary reward. The center convincingly argued in the message, claiming that the data would be used to expand Tereza's research with new methods. By sending the data, Tereza would supposedly also contribute to strengthening relationships between workplaces, creating new knowledge, and developing the field of science as a whole.

Although the offer sounded tempting at first glance, Tereza noticed the strange address from which the message came while reading it and soon realized that she had probably received a fraudulent email and that it was not a genuine request. She then contacted the alleged friendly center through another communication channel, and indeed - the research center had not sent any such offer.

In reality, the attacker was only after the data using the Quid pro quo technique, which relies on presenting a tempting offer, often with a mention of a financial reward. However, thanks to her healthy caution, Tereza managed to protect valuable research data from potential misuse in this case.

Shoulder-Surfing

Kristýna, 21 years old
STUDENT

Kristýna narrowly avoided becoming a victim of Shoulder Surfing, a social engineering method that can happen practically anywhere and anytime. Shoulder Surfing, as the name suggests, is based on observing important data and information (such as a PIN) from the display of the user's device. Literally, it means that the attacker just needs to look over your shoulder and wait for the right moment. Even this can be the start of a cyber attack, and Shoulder Surfing can be just one piece of the puzzle.

One day, Kristýna took public transport to school, as she does almost every day, and decided to check if her exam grade was already recorded in the information system. The tram was typically crowded, but Kristýna managed to get a seat. When she was logging in, she didn't notice the strange person behind her, who had a clear view of her login form. How to avoid a similar situation?

Kristýna was lucky to have chosen a strong enough password that the attacker couldn't observe. Next time, she should also be mindful of her surroundings and, for example, stand with her back to the tram wall, or better yet, use a password manager that fills in the password automatically for her. And of course, if possible, she should use 2FA.

Minimize handling your sensitive information in public places. Check your online banking at home, and work emails can surely wait until you are in the office. Similarly, logging into other university systems and applications should only be done at work or with adequate protection for remote access (e.g., VPN) - not on public Wi-Fi in cafes. It is also problematic to handle work matters on someone else's computer or on a computer where someone else is currently logged in.

Sniffing

Mikuláš, 47 years old
PUBLISHING WORKER

Working in a university publishing house involves quite a lot of paperwork and correspondence, especially in the marketing and PR position. Mikuláš doesn't mind the paperwork, but he doesn't get along well with the new email client recommended by the university. The user interface is unintuitive, unnecessarily complicated, and generally unfriendly. However, while browsing the internet, he came across a beautifully designed application that promised a simpler and much clearer access to mail. And such an aesthetic environment! Mikuláš was delighted and immediately installed the application on his work computer.

At a work party, he then boasted about his solution to a colleague from the IT department. How surprised he was when his colleague strongly recommended that he uninstall the application immediately and return to the verified client. It was an application using an outdated protocol for downloading mail, and therefore an application susceptible to exploitation through Sniffing.

When using this technique, attackers deploy a program into the network that can "eavesdrop" on various information passing through the network. Similar to how the police in detective stories tap a phone line to subsequently catch the perpetrator. Just like in Mikuláš's story, when defending against Sniffing, it is certainly worth listening to your IT colleague and always using verified software recommended or provided by the university for work matters.

Tailgating

Michal, 28 years old
RESEARCHER

Today, researcher Michal will experience firsthand that social engineering and cyber attacks are not just about our devices, email inboxes, or servers. On a busy Monday morning, Michal enters his department, and just as he swipes his card at the entrance, a young woman calls out to him. "Can you let me in, please? I left my card at home." Michal gentlemanly obliges and holds the door open for her. He has only been working at the university for two months, so he doesn't yet have a complete overview of all his colleagues. He doesn't know yet that he will never see the young woman again. What Michal certainly doesn't know is that he has just become a victim of so-called Tailgating, which can have far-reaching consequences. How could this happen?

Tailgating is a social engineering method that exploits situations primarily in large organizations. These workplaces are often characterized by the fact that not all employees know each other. Therefore, it is harder for them to distinguish who really works in this environment. And that's what attackers are counting on. To succeed in such an attack, it is enough to act confidently and ideally distract the victim. Once the attacker gains access to a restricted area, they can cause a lot of trouble. From stealing data from an unencrypted disk to deploying malicious code on the manager's device. How can Michal and you defend against Tailgating?

If you encounter someone you don't know claiming to have forgotten their ID card or keys, try to verify the person, for example, at the reception. But never let unknown people directly into your workplace.

If you are entering a restricted area, always use only your identification cards and keys. Also, never lend them to other people, not even colleagues. And finally, to think about - haven't you let someone unknown into your workplace recently?

Trashing

Lenka, 43 years old
PAYROLL ACCOUNTANT

Lenka, who works in the personnel and payroll department at the office of a larger city, started her new job three months ago. Last week, she was assigned the task of issuing a certificate of employment for an employee who is leaving. Lenka prepared everything, but when handing it over, the employee noticed a small typo in his surname. Lenka then prepared a new certificate and quickly threw the old one in the trash. A few days later, a copy of this certificate started circulating on the internet. It turned out that the certificate contained very sensitive information that none of us would want to share publicly. For example, whether any court-ordered deductions were made from the salary.

So what happened? Lenka immediately suspected malicious software on her computer. However, the explanation is much simpler. So-called Trashing is a social engineering technique where the attacker tries to obtain information from discarded office trash. Yes, you read that right. This is how the certificate ended up on the internet, from where it will probably never be deleted. How to defend against Trashing?

The most effective method is prevention. Attackers can be very skillful in attempting to obtain sensitive data and information, especially if it is a targeted victim.

Let's remember that trash cans are not black holes. Even if you manually tear or cut the document, a skillful attacker can manage. Therefore, it is better to entrust unnecessary documents to a shredder.

If a security incident has occurred or you suspect that your cybersecurity may have been compromised, please report it to us.

Author: CRP-Kyber, edited and translated by Jiří Krčmář | Date: 21.09.2024