Question 1

What Is Social Engineering?

Accepted Answer

Social engineering, according to its basic meaning, is the psychological manipulation of people with the primary goal of acquiring and disclosing confidential business and personal information. Social engineering attacks all share one goal: to get information or access from a user through human interaction. They do this using three key methods: imitation, intimidation, and manipulation.

Question 2

How the Social Engineering attack begins?

Accepted Answer

The attack typically begins with a well-crafted email or phone call. The sender has done their research and knows enough about you to make the message seem believable. For example, they may claim that your computer is experiencing technical issues, ask for credit card information to process a refund, or trick you into thinking they’re from tech support and need remote access to your computer.

Question 3

What is the reason of Social Engineering attack?

Accepted Answer

Social engineering attacks occur for a variety of reasons. Valuable information such as credit card numbers, social security numbers, and other personal or financial data is sold or used on the dark web. Another reason hackers commit cybercrime is to get access to a company's computer systems or networks. Once inside, they can wreak havoc by altering data, wiping files (a technique known as ransomware), or illegally selling them to make money. Finally, social engineering could be retaliation; perhaps the attacker is feeling angry, embarrassed, or jealous.

Question 4

What are the types and examples of Social engineering attacks?

Accepted Answer

Phishing: One of the most frequent social engineering attacks. Sending an email or text message pretending to be a genuine business in an attempt to dupe the recipient into disclosing personal information. Spear Phishing: Similar to phishing but explicitly targeting individuals or groups. Emails sent to the victim contain links and attachments to spread malware, steal data and escalate privileges within the system. Whaling (CEO Fraud): Whaling occurs when an attacker tries to trick the CEO, CFO or another highly ranked executive into giving up important information such as credit card numbers or login credentials using email or a web page with fake text. Baiting: It is a specific type of social engineering attack that involves putting malware (viruses, worms or Trojan horses) on removable drives such as USB sticks. Vishing (Voice Phishing): Vishing is an attack that uses voice technologies and messages to trick you into giving up personal information. Smishing attack: It is a type of phishing scam that targets mobile devices. For example, a message might say that your account is compromised, and you should text back with username and password information. Tailgating: This type of attack occurs when an unauthorized person follows someone with authorized access to a secure area and gains the same level of access without credentials or permission. Quid Pro Quo attack: A quid pro quo attack involves someone asking for your credentials in return for something (usually money). Watering Hole: A social engineering attack in which a hacker compromises a popular website frequented by their target and uses it to gain information about them. Dumpster Diving: involves attackers searching through the trash for documents holding personal or sensitive information. Farming vs Hunting: Hunting is the practice of gathering data from people with little or no personal interaction. On the other hand, Farming relies heavily upon establishing rapport to gain trust from their target before any real action occurs.

Question 5

What is Phishing?

Accepted Answer

Sending an email or text message pretending to be a genuine business in an attempt to dupe the recipient into disclosing personal information.

Question 6

What is Spear Phishing?

Accepted Answer

Similar to phishing but explicitly targeting individuals or groups. Emails sent to the victim contain links and attachments to spread malware, steal data and escalate privileges within the system.

Question 7

What is Whaling (CEO Fraud)?

Accepted Answer

Whaling occurs when an attacker tries to trick the CEO, CFO, or another highly ranked executive into giving up important information such as credit card numbers or login credentials using email or a web page with fake text.

Question 8

What is Baiting?

Accepted Answer

It is a specific type of social engineering attack that involves putting malware (viruses, worms, or Trojan horses) on removable drives such as USB sticks.

Question 9

What is Vishing (Voice Phishing)?

Accepted Answer

Vishing is an attack that uses voice technologies and messages to trick you into giving up personal information.

Question 10

What is Smishing attack?

Accepted Answer

It is a type of phishing scam that targets mobile devices. For example, a message might say that your account is compromised, and you should text back with username and password information.

Question 11

What is Tailgating?

Accepted Answer

This type of attack occurs when an unauthorized person follows someone with authorized access to a secure area and gains the same level of access without credentials or permission.

Question 12

What is Quid Pro Quo attack?

Accepted Answer

A quid pro quo attack involves someone asking for your credentials in return for something (usually money).

Question 13

What is Watering Hole?

Accepted Answer

A social engineering attack in which a hacker compromises a popular website frequented by their target and uses it to gain information about them.

Question 14

What is Dumpster Diving?

Accepted Answer

Dumpster Diving involves attackers searching through the trash for documents holding personal or sensitive information.

Question 15

Farming vs Hunting?

Accepted Answer

Hunting is the practice of gathering data from people with little or no personal interaction. On the other hand, Farming relies heavily upon establishing rapport to gain trust from their target before any real action occurs.

Question 16

How to prevent social engineering attacks?

Accepted Answer

1. Use different strong passwords and passphrases 2. Don’t share data with too many people; reward access thoughtfully 3. Educate your employees to avoid compromising company security policies 4. Treat all calls, emails, or text messages as suspicious unless you’re 100% 5. Have multiple defence layers to frustrate attackers' efforts 6. Keep your systems secure with software patches and updates for vulnerabilities 7. Don't open suspicious emails- hover over content URLs first 8. Don’t click links you don’t request 9. Be cautious of online-only friendships 10. Remember the signs of social engineering 11. Use two-factor authentication and multifactor authentication - an authenticator app or security key 12. Consider a password manager 13. Set high spam filters 14. Don’t allow strangers on your Wi-Fi network 15. Use a VPN 16. Monitor your account activity closely 17. Don’t leave devices unattended

Question 17

Why Security Awareness Training is important?

Accepted Answer

Security awareness training teaches employees how not to become a target of malicious hackers and not let cybercriminals accessing company resources. Training includes topics such as: 1. What information not to share with strangers over the phone or via email 2. How to protect passwords and usernames 3. How to recognize phishing emails, phone calls, or text messages.

Cyber Security Blog

What Can You Expect To Pay For Penetration Testing?

My Thoughts on OWASP Top 10 2021

Congrats Anna Zhmurko on Successful OSCP Certification!

13 Tips to Secure Your Small Business from Cyberattacks in 2021

Kostiantyn Korsun about Cybersecurity Strategy of Ukraine for 2021-2025 at NoNameCon

Andriy Varusha at NoNameCon: “Dzień dobry, you’re hacked”

NoNameCon Cybersecurity Conference: Why Should You Come?

Announcing the Web Application Pentester Training

BSG Sponsors OWASP 20th Anniversary Celebration

Top Posts