The Secret Behind Hacking -- Adishree Das
Published by Rajvi Khanjan Shroff,
Cyber Student Crew Writer: Adishree Das
Every day, 54 billion spam emails are sent. Those emails have more to it than it may seem.
What do you think of when someone says "hacker"? Most people think of a really tech-y, mysterious person. But hackers don’t have to use only digital skills to get information from you. In fact, 84% of hackers use social engineering and psychology to attack your data. But what even is social engineering?
Social engineering is the art of tricking you to do something you shouldn’t do or to make you give up confidential information, usually through email. Humans usually fall for this because humans tend to trust or help other people, or their curiosity gets the better of them and they click on the email.
It might seem pretty simple, but there are a lot of methods to pull this off. One of the most popular methods is phishing. Phishing is when a hacker sends you an email with a link or a download, which downloads malware onto your computer, and sends itself to all your contacts. Spearphishing is a better way to do this because spear phishing usually includes a bit of personal information about you, so the hacker has to know a little bit more about you. Spearphishing works better because you would probably want to trust someone who knew something about you more than some random person. If they know something about you, they probably know you in real life. Or so you think.
Another interesting way to use social engineering to hack is by typo-squatting. Typo-squatting is when a hacker creates a website that is the same thing as a popular website (ex: Google) and spells it wrong (ex: Gogle). Everyone makes typos sometimes, and that’s what makes this type of hacking dangerous. This targets people who make typos because they get led to a website made by a hacker instead of the website you originally were going to go to. These websites can download malware onto your device without you even knowing. When a website downloads something on your computer without you having to click any download links, it is called a drive-by-download. Cybercriminals take advantage of this, as it is a way to spread malicious software to steal your personal information without anyone realizing it.
Hackers usually try to make the fake website look similar to the real one, so you don’t even realize you are on the wrong website. They can do many things by using typo-squatting. For example, if you spell Amazon wrong, you might come to a page that may look like Amazon. Then, when you log in with your username and password, the site might steal your username and password and use it to buy things on your real Amazon account.
This usually happens to popular websites like Facebook (Photo by Simon on Pixabay)
There are many other (not so popular) ways of using social engineering to hack. Smishing is one way where hackers call your phone and try to get access to you through a call. Some other ways people may use to hack you is by baiting, vishing, scareware, and social media requesting.
All over the news, there are so many reports of cybercriminals using social engineering and psychology to get into people’s data and personal information. For all you know, you might be next. So, what should you do to make sure you won’t be hacked?
To identify a social engineering attack, you need to ask yourself these questions every time you go on a website or get a message from an unknown message:
- Are they trying to make me feel a certain way?
A lot of the time, hackers try to spark a certain emotion in you. For example, cybercriminals might make you try to feel really scared by sending you a message that your house is being robbed or your Google account is insecure. They can also try to make you excited by sending you a message that you won the lottery! You should always be wary of these kinds of emails, because you never know what it could be.
- Does this come from a legitimate sender?
Look at the email address/profile picture/phone number carefully. It might look similar, but look carefully to see if there are any misspelled words. For example, you might think an email is coming from noreply@gmail.com, but it’s actually coming from noreply@yahoo.com or norepl@gmail.com. They might even use an 1, I instead of l, or replace it with other similar looking characters.
- Does the website I’m on look right?
Look at the URL of the website that you are on. Does it have any typographical errors? Then look at the layout/design of the website. Hackers usually try to make the fake website look similar to the real, as stated previously, but it’s difficult for it to look exactly the same.
Think before pressing go. (Photo by mkweb2 on Pixabay)
- Are they trying to make me feel a certain way?
A lot of the time, hackers try to spark a certain emotion in you. For example, cybercriminals might make you try to feel really scared by sending you a message that your house is being robbed or your Google account is insecure. They can also try to make you excited by sending you a message that you won the lottery! You should always be wary of these kinds of emails, because you never know what it could be.
- Does this come from a legitimate sender?
Look at the email address/profile picture/phone number carefully. It might look similar, but look carefully to see if there are any misspelled words. For example, you might think an email is coming from noreply@gmail.com, but it’s actually coming from noreply@yahoo.com or norepl@gmail.com. They might even use an 1, I instead of l, or replace it with other similar looking characters.
- Does the website I’m on look right?
Look at the URL of the website that you are on. Does it have any typographical errors? Then look at the layout/design of the website. Hackers usually try to make the fake website look similar to the real, as stated previously, but it’s difficult for it to look exactly the same.
- Are they asking for information they should already have?
If a friend/family member asks for personal information, you should make sure it’s them before handing your information over. This rule applies especially to information that your friends/family should already know, like your name, birth date, or username to a website.
When you are online, to protect yourself from social engineering attacks, you need to slow down. Ask yourself why a message wants you to act fast. Even if the sender seems to be a familiar person, check with them before downloading or opening it. Hovering over a link will show you the actual URL which a link is taking you to. If you don’t remember entering a contest, you probably can’t win the prize. Things from foreign countries/people will almost always be a scam. Don’t ever give out your username and password to a form from an email.
Cybercriminals can also use your social media to attack you online. There are a lot of people out on social media platforms, and unfortunately, not all of them are good. Sometimes it’s best to have your accounts set to private. Never share your full name, pet’s name, birthday, hometown, school, graduation date, clubs, sports teams, or hobbies on social media. Hackers can use even the smallest bits of information against you.
(Photo by TheDigitalArtist on Pixabay)
"Social Engineering - The art of replacing what works with what sounds good." - Thomas Sowell
We all use the Internet every day, but the Internet can be used to psychologically get information from us.
RESOURCES:
https://terranovasecurity.com/examples-of-social-engineering-attacks/