Introduction to Cybersecurity

Lecture 2: social engineering

attack
social engineering attack

A social engineering attack is when a web

user is tricked into doing something
dangerous online.

Phishing is one of the most prevalent forms

of social engineering.

https://developers.google.com/ https://www.tripwire.com/
 Phishing Attacks

1. What is Phishing?
2. How does it
happen?
3. Can it happen to
me?
4. What can I do?
 What is Phishing ?

Phishing is a cybercrime
where attackers try to trick
you into giving away
personal information or
clicking on malicious links.
They use fake emails,
texts, phone calls, or
websites that look
legitimate to lure you in.
 A phishing message is designed to trick you
into doing one of these four things.

Click Here! USERNAME

Click on an Open an Type your Transfer

Unsafe Link Unsafe File Password Funds
Cyber attackers phish for different reasons, But
they all phish.
Criminals Intelligen Hacktivist
Money ce Data
Sensitive s
Fraud Public Web
Network Access Pages
Identity Infrastructure
Theft Social Media
Understanding The Role of Emotions in Phishing
 Phishing , Social Engineering Cyberattack
Phishing relies on social
engineering, which is
manipulating people. Unlike
other cyberattacks that
directly target computer
systems, phishing scams
target you, the human user.
They use fake stories,
pressure tactics, and a sense Image source: https://www.linkedin.com/pulse/cracking-code-understanding-role-emotions-phishing-

of urgency to trick you beamteknoloji-fsftf/

 Frequently Manipulated Emotions
•Curiosity ‫الفضول‬: Emails with intriguing offers exploit our natural
curiosity, tricking us into clicking malicious links.

•Greed ‫ الجشع‬: Promises of easy money or great deals tempt us to

ignore red flags and click on suspicious links.

•Fear ‫الخوف‬: Urgent emails threatening account suspension or legal

action prey on our fear, making us act impulsively.
 Frequently Manipulated Emotions
•Helpfulness ‫المساعدة‬: Attackers manipulate our willingness to
help by creating fake requests that exploit our helpful nature.

•Authority ‫السلطة‬: We tend to follow instructions from figures of

authority, a tactic hackers use to trick us into performing actions.

•Overconfidence ‫الثقة المفرطة‬: Overestimating our ability to

spot phishing emails leaves us vulnerable to cleverly crafted
attacks.
 Types of Phishing Attacks
1. Email Phishing(spear phishing)
•Description: The most common type of
phishing. Attackers send emails disguised
as legitimate companies (banks, credit
cards, etc.) or people you know
(colleagues, bosses).
•Example: You receive an email from your
"bank" claiming suspicious activity on your
account. It urges you to click a link to verify
your information. But clicking the link takes
you to a fake website designed to steal
your login credentials.
 Types of Phishing Attacks
2. Smishing
•Description: Phishing via SMS text
messages. Attackers send messages that
appear to be from your bank, mobile
carrier, or other trusted sources.

•Example: You receive a text from your

"mobile carrier" stating your account is
overdue and will be suspended if you
don't click a link to make a payment.
Clicking the link leads to a fake website to
steal your credit card information.
3. Vishing
Types of Phishing Attacks
• Description: phishing over voice calls.
Attackers impersonate representatives
from banks, tech support, or other
trusted organizations.
• Example: you receive a call from
someone claiming to be from "tech
support" warning you of a virus on your
computer. They ask you to give them
remote access to fix the problem, but
instead, they install malware to steal
This Photo by Unknown Author is licensed under CC BY-NC-ND

your data. Jamtara is a classic

example.
Types of phishing
Types ofattacks
Phishing Attacks
4. Angler Phishing
•Description: Phishing attempts on
social media platforms. Attackers
create fake posts or profiles to lure
victims.

•Example: You see a social media post

offering a free gift card from your
favorite store. Clicking the link takes
you to a fake login page designed to
steal your account information.
Types of phishing
Types ofattacks
Phishing Attacks
5. Whaling
•Description: A targeted phishing
attack aimed at high-profile
individuals like CEOs or executives.
•Example: A CEO receives a very
convincing email that appears to be
from the company chairman,
requesting an urgent wire transfer for
a confidential business deal. The
email uses information obtained
through social engineering to appear
legitimate.
Types of phishing attacks
Types of Phishing Attacks
6. AI phishing
• Description: leverages generative artificial
intelligence (AI) tools to craft phishing
messages. These tools produce
customized emails and text messages that
are free from spelling errors, grammatical
inconsistencies, and other typical phishing
red flags.
• Generative AI also enables scammers to
scale their operations significantly.
According to IBM's X-Force Threat
Intelligence Index, crafting a phishing
email manually takes a scammer around
16 hours.
 Types of phishing attacks
Types of Phishing Attacks
6. AI phishing
• With AI, they can create even more
convincing messages in just five minutes.
Also scammers use image generators and
voice synthesizers to enhance the
credibility of their schemes.

• Example: For instance, in 2019, attackers

used AI to clone the voice of an energy
company CEO, successfully scamming a
bank manager out of USD 243,000.
 Types of Phishing Attacks
7. Typo squatting 8. Business Email
9. Watering Hole
‫التالعب باألخطاء‬ Compromise (BEC)
Phishing: Placing
‫المطبعية‬: Creating ‫اختراق البريد‬
malware on trusted
fake websites using ‫اإللكتروني التجاري‬:
sites frequented by a
similar domain names Hijacking and fraud of
specific group or
by taking advantage of business email
organization.
users' typos. accounts.

12. Clone Phishing: Re-

11. Image-Based
10. Website Spoofing: sending an email
Phishing: Images that
Creating fake copies of containing a malicious
contain malicious links
legitimate websites to link or attachment by
or are designed to
deceive users. creating a copy of a real
deceive users are used..
message.
Statistics say…….

• Phishing Is The Most Common Way Attackers Illegally Access

Systems. with an estimated 3.4 billion spam emails sent every
day.
• The use of stolen credentials is the most common cause of
data breaches.
• Google blocks around 100 million phishing emails daily.
• Over 48% of emails sent in 2022 were spam.
Source : https://aag-it.com/the-latest-phishing-
statistics/
Statistics
Statisticssay…….
say…….
• Millennials and Gen-Z internet users are most likely to fall
victim to phishing attacks.
• 83% of UK businesses that suffered a cyber attack in 2022
reported the attack type as phishing.
• Phishing was the most common attack type against Asian
organisations in 2021.
• The average cost of a data breach against an organisation is
more than $4 million.
• One whaling attack costs a business $47 million
Source : https://aag-it.com/the-latest-phishing-
statistics/
Signs of Phishing
Phishing messages are designed to get you
to react quickly without thinking too much.

Sense of Urgency Offers of Money Confirmations

Odd Requests Rewards IT Support

Phishing messages usually contain
spelling errors, generic texts, fake URLs
or websites.

Confirmations

Spelling Error Generic Messages Fake URLs

Email Phishing Attacks
 Manohar Majesh
Harleen Heena
Transfer Problem #1 The Wire
Transfer
Hello Manohar, ‫التحويل البنكي‬
I am trying to get payment to
a vendor. It is important they
get paid by close of business.
Can you please transfer
17,540 to…
 IT Help
Larry Page
Suspicious Activity
#2 The IT Support
Hello Larry, Alert
Your computer has been
infected with the GoNowe2.0
Malware that you saw on the
news. You must Click Here
to use our scan
within 12 hours and be safe.
 Amazon Shoppers
Parminder
Package Damaged
#3 Confirm
Dear Parminder, Now!
We apologize in advance, but
your recent order was
damaged in delivery. We are
unable to issue a refund until
you confirm account details
with this form.
 [email protected]
Mumtaz Baigh
Password Compromise

Dear Mumtaz,
Your account has been locked
#4 Password Reset due to potential compromise.
You must go to this site to
secure your account.
kiMail Secure Reset
 [email protected]
Latika Kumari
HELP!!!

#5 Cry for Help HI,

I need to submit this file for
class but it won’t open on my
computer. Can you PLEASE (!)
save it as a PDF and send to
me???
 [email protected]
Sandeep
Your account

#6 Commercial Premium User,

Attack Your electronic invoice is
attached. This file is intended
only for the recipient and is
considered confidential.
This is not my document.
Smishing Attack
Vishing Attack
Angler phishing Attack
Real Life Examples
• In early 2020, a branch manager of a Japanese company in Hong Kong
received a call from a man whose voice he recognized—the director of his
parent business. The director had good news: the company was about to
make an acquisition, so he needed to authorize some transfers to the
tune of $35 million. A lawyer named Martin Zelner had been hired to
coordinate the procedures and the branch manager could see in his inbox
emails from the director and Zelner, confirming what money needed to
move where. The manager, believing everything appeared legitimate,
began making the transfers.
Source: https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-
millions/?sh=5cb443947559
• The European company, which operates shops under the Pepco,
Poundland and Dealz brands, said that the company lost approximately
€15.5 million in cash as a consequence of the attack.
• “If this is the case, this type of attack is called business email compromise
and it involves a fraudster spoofing the email address of a legitimate
employee within an organization and then sending out correspondence to
other people in the business, mostly those who work in accounting or
finance departments, and asking them to urgently pay an invoice or
process a payment.”
Source: https://www.helpnetsecurity.com/2024/02/28/pepco-phishing-bec-attack/
In 2022-23, a global scam targeting WhatsApp users
with fake job offers has defrauded people out of an
estimated €100 million. Victims received phishing
messages impersonating reputable firms, promising
lucrative jobs paid in cryptocurrency, leading to
significant financial losses

Source : https://www.euronews.com/next/2023/10/23/behind-the-global-scam-worth-an-estimated-100m-targeting-whatsapp-
users-with-fake-job-offe
RSA
In 2011, the United States' defense suppliers were breached when security firm RSA
fell victim to spear phishing due to an Adobe Flash vulnerability.
Disguised as recruitment plans for that year, the email targeted mid-level
employees with just one line of text: "I forward this file to you for review. Please
open and view it.". Only one employee had to open the email for phishers to gain
backdoor access on the victim's desktop. The phishers then managed to bypass the
company's SecurID two-factor authentication to steal company data.

https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-from-History
2018 World Cup
The Federal Trade Commission released this statement regarding phishing attempts
during the 2018 World Cup in Russia. The scam claimed the victim won tickets to
the World Cup through a lottery and prompted them to enter their personal
information to claim the prize.

At the same time, a handful of rental scams were reported as well. Cybercriminals
stole the email addresses of genuine landlords in Russia and offered ridiculously low
prices for their properties during the sporting event. Once a "lucky buyer" accepted
the offer, his or her credit card information was stolen.

https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-from-History
Facebook & Google
This is a huge one. Two of the world's largest tech giants, Facebook and Google, lost
$100 million in this single email scam from Lithuania. While an arrest was made,
the story shows that even the most advanced tech entities are susceptible to
phishing attacks.

https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-from-History
 What should I do if I get a
phishing email?

Click Delete Report

 What happens if I click?
Stolen
1 Data 2
Password Ransomwa
IdentityLeak
Account Remote
re

Theft Takeover Access

Data Network
Destructi Compromis
on e

Password Malware
Stolen Installed
What happens if I delete?

You’re safe…
You’re safe…for now.
What happens if I report?

Review Block
Links Domains

Check Remove
Accounts Messages
Where to report?

The Chakshu portal is a platform

developed by the Department of
Telecommunications (DoT) to
report suspicious
communication, such as
fraudulent calls, SMS, or
messages on social media like
WhatsApp.
https://sancharsaathi.gov.in/sfc/
 How to Protect Ourselves

1. Keep Security Software Updated: Regularly update security software, firewalls, and
network protections to defend against malware.
2. Implement Two-Factor Authentication: Use Multi-Factor Authentication (MFA) to
add extra security to accounts.
3. Regularly Update All Software: Keep all software, including operating systems and
applications, up to date with the latest security patches.
4. Educate : Inform and educate students, friends and family about the latest phishing
techniques.
5. Verify Websites: Use reputable search engines and verify the authenticity of
websites before entering sensitive information.
6. Adjust Social Media Privacy Settings: Limit who can view and contact you by
adjusting privacy settings.
7. Verify Requests Through Secondary Channels: Confirm significant requests,
especially those involving finances, through secondary means.
 How to Protect Ourselves

8. Use Secure Communications: Ensure sensitive transactions are conducted over

secure and encrypted communications.
9. Be Skeptical of Unsolicited Requests: Approach unsolicited requests for
information with caution.
10. Monitor Accounts Regularly: Regularly check financial and personal accounts
for unusual activities.
11. Regularly Change Passwords: Change passwords frequently and use strong,
unique passwords for each account.
12. Use Anti-Malware Software: Deploy anti-malware solutions to detect and
remove malicious software.
13. Mail Security for Organizations: Implement advanced mail security solutions
like spam filters and email authentication protocols.
If you aren’t sure…

Please O
Click Here
r
To Confirm.

Skip the Link Go to The

Ignore the Source
File
Thank you