Hacking skills are not always enough to break a security. To get somewhere, hackers sometimes have to be masters of manipulation. Many famous cyberattacks started with simple identity theft.
September 2022. An 18-year-old hacker contacts an Uber employee posing as the company’s IT department. A few hours later, the leader of the VTC suffered the largest cyberattack in its history. Internal discussions, confidential files leak on the darknet. Deceiving the victim, convincing him, reassuring him, in short, being a talented charlatan is part of the malicious hacker’s arsenal.
We talk about social engineering (social engineering) when the hacker attempts to exploit human error to obtain private information. Rather than trying to break in and find a loophole, the criminal directly asks the victim to open the door for him. For this, the attacker can also work on his target upstream – analyze his position, his occupations, his missions, monitor his social networks – to give more legitimacy to his contact.
Social engineering schemes
Businesses are prime targets, due to the high revenue criminals can make from a cyberattack against them, and employees are a natural gateway to infiltrate the company’s system. There are several techniques:
- The president scam: a classic. The criminal pretends to be the CEO of the company and asks for a wire transfer or bank details for an urgent financial transaction. In January 2022, hackers managed to steal 33 million euros from a company of real estate developers with this technique.
- Technical service: a problem with your email, an update on your computer, the IT department contacts you and explains that it must launch a small operation. This method is one of the most widespread today, in particular to bypass double authentication. The hacker will send a connection request and will ask the victim to type in their code. Campaigns of this kind have already been carried out against hundreds of employees, and inevitably some end up falling for it.
- The job offer: this method has targeted many members of intelligence or from sensitive sectors (defence, cyber, energy). Russian and North Korean hackers, linked to their respective governments, are known to have created fake recruiter accounts on LinkedIn to then contact specific targets. The goal is to make them download a fake job offer to spy on them afterwards. Sometimes it’s just about retrieving information.
- The vishing: a phone call from the bank or a partner asks you to enter your double authentication code. The number that appears is that of the advisor and naturally, you execute. Phone number spoofing is becoming more and more widespread and can target anyone on a daily basis.
Work on your role
” Social engineering is used in many industries besides hacking. In sensitive industries, for example, candidates will be asked to drop a note on the CEO’s seat and they will have to bypass all the company’s security measures to do so. tells us Baptiste Robert, ethical hacker.
” The same goes for hackers: when they want to infiltrate a company, they work on the language and the code applied in the middle so as not to arouse suspicion when they discuss with their target. he adds. Thus, thugs working on behalf of authoritarian regimes have already been spotted after posing as journalists or researchers for several months.
A Russian pirate also pointed out that the lack of women in “the trade” was a problem: ” We’re looking for female voices on the forums to usurp the call centers. It is generally women who respond to complaints “. In all tech professions, we suffer from the absence of women. Including in the most malicious branches.
