Against Digital Deception
Defending against digital deception involves a multi-faceted approach that includes the use of machine intelligence to detect and characterize influence operations, as well as developing strategies to counteract misinformation and disinformation.
Here’s a breakdown of the key strategies:
Detection
Utilizing deep learning models to identify misinformation and disinformation across various languages and media formats. This also involves psycho-linguistic analysis to understand the broader categories of deception¹.
Characterization
Analyzing user behavior and the spread patterns of deceptive content to identify vulnerable sub populations and measure the speed and scale of diffusion¹.
Defense
Implementing machine translation and text generation models to create real-time defenses against digital deception. This includes translating the style of misleading content into credible and non-credible forms and generating content characteristic of news sources with varied credibility.
Education
Strengthening critical thinking and digital literacy to help individuals recognize deceptive tactics and respond appropriately.
Prevention
Reporting and preventing manipulation through individual and platform-level actions, such as fact-checking and source verification to fortify Open-Source Intelligence (OS INT) skills.
Technology
Embracing the synergy of human intuition and artificial intelligence to navigate the challenges posed by technologies like deepfakes, which can create highly convincing false content.
The Battle Against Social Engineering and Phishing
What Does Social Engineering
Social engineering refers to a wide range of attacks that leverage human interaction and emotions to manipulate the target. During the attack, the victim is fooled into giving away sensitive information or compromising security.A social engineering attack typically takes multiple steps. The attacker will research the potential victim, gathering information about them and how they can use them to bypass security protocols or get information. Then the attacker does something to gain the target’s trust before finally manipulating them into divulging sensitive information or violating security policies.
How Does Social Engineering Work?
In this definition of social engineering, a social engineering attack begins with the attacker figuring out what they want from an organization or person. They then study the behavior or likes and dislikes of a human target to figure out how best to exploit them. Then the hacker will execute the attack, trying to gain access to sensitive data or secured networks or systems.
Human Behavior Misused for Committing Social Engineering Attacks
There are certain traits that are endemic to human behavior that social engineering cyberattacks seek to exploit.
Liking
People have a tendency to give more credibility to those they like than those they do not. To exploit this, a social engineering attacker may try to appear trustworthy, attractive, or like someone who shares similar interests.
Reciprocity
have been given something. Social engineering attackers abuse this tendency by offering advice, something exclusive, or personalizing their offer to make the target feel obliged to give something back.
Commitment
After someone commits to a course of action, they feel obligated to stick with their decision. An attacker using social engineering tools can exploit this by having the victim agree to small things before asking them for something bigger. They may also have them agree to an action before its risks are obvious.
Social Proof
People are far more likely to get behind a product if other people they trust have endorsed it. Attackers may use social networking to exploit the social proof concept by claiming that the victim’s online friends have already endorsed an action, product, or service.
Authority
People naturally tend to trust authorities more than those with less experience or expertise. Hence, an attacker may try to use phrases such as “according to experts” or “science proves” to convince a target to agree to something.
How Did Social Engineering Attacks Evolve?
Despite the existence of so many modern social engineering examples, the practice actually has a long history—dating back to the 18th century.
French Noblemen
After the French Revolution, prisoners in France falsely claiming to be valets for French noblemen sent out letters that claimed they had hidden their master’s vast treasure and would provide a map to help the recipient find it. In return for this “priceless” information, they would request a modest amount and hoped for a little preferential treatment. While computers were centuries from being invented, this kind of scam certainly fit the common social engineering definition.
European Nobleman
These kinds of early social engineering attacks continued with a similar prison-based scam involving someone incarcerated in Spain. The convicted would write a letter claiming to be a European nobleman who had been wrongly imprisoned. The bars not only kept him from freedom but also from his impoverished daughter, who needed him free to survive. The letter would ask the recipient for enough money to secure the prisoner’s release while promising a handsome payment—far more than what the recipient provided—as soon as the prisoner saw the light of day.
What is social engineering today?
As time passed, the technologies and text changed but the psychological manipulation did not—as could be seen in the Nigerian Prince scam. The social engineering toolkit for this scam simply involves an email account and some faked documents. Someone pretending to be a Nigerian prince claims there is money locked away that they cannot access without help. If the recipient gives them the cash they need to bribe officials or pay the fee needed to gain access to the funds, the “Prince” will share the loot with the recipient. Of course, there never is any money at all, and anything the target wires never gets returned.
Social Engineering Fraud Attack Techniques
Baiting
A baiting attack attempts to draw in a victim by promising something that appeals to their sense of curiosity or greed. This lures the target into installing or clicking on something that ends up putting malware, such as that used for pharming or spyware, onto their system.
Scareware
Scareware bombards a target with fake threats or false alarms in the hopes that their natural inclination to protect themselves or something they value drives them to taking the desired action. One of the more common types is using realistic-looking banners warning that their computer may be infected with a virus or some other kind of malware.
Pretexting
In an attack that uses pretexting, the attacker lies to the victim regarding their identity. After they have gained the target’s trust, they trick them into handing over sensitive information.
Phishing
In a phishing attack, the attacker creates a sense of urgency or appeals to the victim’s curiosity. They then either get them to click on a malicious link or provide private information via a form.
Spear Phishing
 Spear Phishing attack the victim is specifically targeted, and the attacker often performs extensive research ahead of time. Once the attacker knows how to manipulate the victim, they launch the attack, phishing for information, credentials, or sensitive data.
Water Holing
Water holing, the attacker tries to compromise a targeted group of individuals by infecting sites they trust. The attacker may focus on sites that the people visit frequently, knowing they are likely to feel safe on those pages.
Quid Pro Quo
In a quid pro quo attack, the attacker pretends to provide something to the victim in exchange for information or a specific action. For example, the attacker may pretend to be someone from tech support and then convince the target to enter commands or download software that installs malware onto their system.
Honey Trap
Honey trap attack, the social engineer assumes the identity of an attractive person. They then engage in a relationship with the victim online to try to get sensitive information from them.
Tailgating
Tailgating involves the attacker following someone with security clearance into a building. The target either trusts the tailgater or, out of courtesy, holds the door open for them.
Rogue
Rogue attack, the victim is tricked into paying to have malware removed from their system. The malware is not taken off the system, but the victim still ends up paying the attacker.
Vishing
Vishing short for voice phishing, uses a conversation over the phone to get financial or personal information from the target. They often hide their identity using spoofing, which changes their caller ID. As with other social engineering tactics, the attacker tries to gain the individual’s trust or uses fear to get them to divulge valuable information.

Well-known Examples of Social Engineering Attacks

Frank Abagnale is probably the most famous example of a social engineering attack. The book and movie Catch Me if You Can depict how Mr. Abagnale impersonated several people, including a doctor, a lawyer, and an airplane pilot to gain people’s trust and take advantage of them.

In 2011, an attacker penetrated the security company RSA by sending phishing emails to groups of employees. The emails had an Excel spreadsheet attached. The spreadsheet had malicious code embedded in it, which used a vulnerability in Adobe Flash to install a backdoor into the system. If the employees had not been socially engineered into opening the file, the attack would not have been successful. Phishing in a pandemic is also common, so users should always be on the lookout.
How To Identify Social Engineering Attacks
To spot a social engineering attack, look for the following signs:

  1. An emotional plea that leverages fear, curiosity, excitement, anger, sadness, or guilt
  2. A sense of urgency around the request
  3. An attempt to establish trust with the recipient

In short, anytime someone tries to get you to provide money or sensitive information through manipulation or coercion, you are being targeted with a social engineering attack.

How To Prevent Social Engineering Attacks
Safe Communication and Account Management Habits
Always be careful when communicating online, and never trust anyone whose identity you cannot confirm. Most importantly, never click on anything that looks suspicious, and never divulge sensitive information.
Never Click on Links in an Email or Message
Instead of clicking on a Uniform Resource Locator (URL), type it in manually in the address bar. Double-check the origin of all URLs before clicking on them, and if you cannot verify their legitimacy, avoid them.
Multi-factor Authentication (MFA)
Using more than a password to access an account can help prevent social engineers from breaching a system. This could include biometrics or temporary passwords sent through a text message.
Using Strong Passwords and a Password Manager
Your passwords should be both complex and unique, never repeated for more than one site or account. You can use a secure password manager to organize them and have them available when needed.
Be Cautious of Building Online-only Friendships
A relationship that does not include any in-person interaction or phone conversation can easily be used for social engineering in 2021 Beware of anyone who wants to interact solely online.

Safe Network Use Habits
Never Let Strangers Connect to Your Primary Wi-Fi Network
Allowing someone to access your primary Wi-Fi network leaves it open to eavesdropping. To prevent this, use a guest network for those who visit your office or home.
Use a VPN
A virtual private network (VPN) provides you with a secure, encrypted tunnel through which communications pass. Even if someone were to snoop on your communications, the VPN would encrypt the transmissions, rendering them useless for the attacker.
Keep All Network-connected Devices and Services Secure
While your Wi-Fi connections at and around the office are likely secured, as are your mobile devices, it is important to not neglect other devices such as infotainment systems in your car. Getting within these systems can help a social engineer further personalize their attack.

Safe Device Use Habits
Use Comprehensive Internet Security Software
Internet security software can protect your system from malware that gets implanted via a social engineering attack. Some security solutions can also track the source of the attack, which can be reported to authorities to aid in their investigation of the crime.
Do Not Ever Leave Your Devices Unsecured in Public
Your computer and mobile devices should always be locked up or securely on your person. This holds true whether you are in a public place or a semi-public environment like your job.
Keep All Software Updated
Software updates help ensure your applications are impervious to the newest kinds of attacks on the landscape. After an attack has been successful, the software’s design team may address the vulnerability in an update, so frequent updates provide you with the most up-to-date security.
Check for Known Data Breaches of Your Online Accounts
Some companies keep track of accounts that have been compromised by hackers. If your account information is on their list, take steps to secure it by changing your password or adding MFA.

Conclusion
Defending against social engineering attacks requires a comprehensive approach that combines technological solutions with user education and awareness. By leveraging machine intelligence for detection and characterization, organizations can better identify and mitigate deceptive tactics. Educating individuals about the signs of social engineering, promoting critical thinking, and encouraging safe communication habits are essential for preventing successful attacks. Additionally, implementing robust security measures such as multi-factor authentication, strong password management, and network security protocols can further bolster defenses. By staying vigilant and adopting proactive measures, individuals and organizations can reduce the risk of falling victim to social engineering scams and protect against digital deception.

 

 

Related Posts