Social Engineering: Antivirus Does Not Protect The Mind 1

Last week a colleague was introduced to a supposed Jumia e-commerce marketing platform where one pays a certain amount to promote content from “Jumia” and receives a commission of up to 30% of the original investment. This percentage goes up as you increase your investment. With the economic realities of Nigeria, 30% ROI in 24 hours is a very juicy offer. With so much excitement to become a millionaire, my colleague who didn’t know at the time that he was about to become a victim of fraudulent tricks targeted at his mind, quickly invested thirteen thousand naira and watched his money grow to nineteen thousand naira.

He came to work excited, believing he is on his way to becoming a millionaire. However, this imagination came to a sudden end when he was required to pay an additional thirty-two thousand naira. As a result, he decided to withdraw the returns on his first investment. Alas, he was unable to do so!

He immediately called Jumia customer support to lodge a complaint. To his surprise, Jumia denied knowing the platform or having any affiliation with the platform.

This was when he realized he had just been scammed.

What is Social Engineering?

Social engineering is a type of cyberattack carried out by manipulating an individual into believing a false truth.

It leverages the weakness of an individual to gain confidential information. According to The Human Factor Report 2022, 99% of all cyber attacks use the social engineering trick.

The common type of hacks we are familiar with involves our computers being infected with viruses and other malware. But here, the goal is to hack the mind of the individual and it usually does not involve sophisticated tools. This can be dangerous because a successful “hack” of an individual in an organization can provide information to compromise the whole organization or launch a series of successful attacks on associated third-party organizations.

This type of attack will be unnoticed by intrusion detection systems, malware detection systems, antivirus and many other security systems hence the saying “ANTIVIRUS DOES NOT PROTECT THE MIND”.

As a means to fortify our minds against such attacks, I made a list of some of the possible ways this attack can happen;

1. Angler Phishing: Unlike other traditional phishing attacks that use emails, angler phishing uses social media. This is done by creating fake social media accounts of companies or individuals to deceive their customers/fans into giving out confidential information or making payments for services.

   I recall learning of someone I know who paid into a fake Pastor's account after receiving a Facebook message from the said account asking her to make donations to a certain orphanage as instructed by “God”.

2. Business Email Compromise (BEC): This type of phishing is mostly targeted at management staff in an organization, tricking them into sending money or divulging confidential company information.

   In 2022, officials of the City of Lexington received an email claiming to be from the Community Action Council(a local housing group) with a request to update the organization’s bank account information. Lexington eventually sent a total of $4 million in federal rent assistance and transitional housing funds to the fraudulent account.

3. Spear Phishing: This is very difficult to detect as it is targeted at specific individuals or organizations. Before this kind of attack is carried out, an investigation is usually carried out to get information on the individual or organization, then a convincing message is usually sent via email using this targeted information.

4. Baiting: Just as the name implies, it is done by using false promises to lure a victim into a trap, which may steal personal and financial information or infect the system with malware.

5. Whaling: Also popularly called CEO Fraud. This type of attack is reserved for specific important or high-profile individuals as the name implies. It also uses email or website spoofing to get compromising information about the individual or organization by pretending to be another influential or senior individual in the organization.

6. PiggyBank/Tailgating: This occurs when an authorized person allows an unauthorized individual to access a certain restricted area.

   This can include allowing unauthorized person access to restricted areas on the premises and it can also mean allowing a relative, friend or acquaintance to access company devices that may put your device at risk or spread confidential information.

7. Quid Pro Quo Attacks: The name “Quid Pro Quo” means “something for something”. This type of social engineering occurs when the attacker promises the victim a favor in exchange for information or other benefits.

Above are some of the porpular ways social engineering can happen.

Want to know how to protect yourself against Social engineering? Watch out for the next article on identifying ways to fortify the mind against social engineering attacks.