Email Spoofing dan Spear Phishing (en)
Social Engineering: Manipulating Humans to Gain Access
Social engineering is a psychological manipulation technique used by cybercriminals to gain sensitive information or access to systems. The perpetrators often impersonate trusted individuals or organizations to convince victims.
Email Spoofing and Spear Phishing are two of the most common social engineering techniques used. Let's discuss them one by one.
Email Spoofing
Email spoofing is a technique in which the perpetrator fakes the sender's email address to make it look like it came from a trusted source. The goal is to get the victim to open the email and take the desired action.
Example:
- Fake as Bank: The perpetrator sends an email that appears to be from the victim's bank. The email contains a warning about suspicious activity on the account and asks the victim to click a link to verify their identity. The link actually leads to a phishing site designed to steal the victim's login information.
- Fake as Company: The perpetrator sends an email that appears to be from the company where the victim works. The email contains important information that must be accessed immediately via an included link. The link actually leads to malware that will infect the victim's computer.
Spear Phishing
Spear phishing is a more targeted form of phishing. The perpetrator does research on their target first to create a very personal and convincing email. The email often contains information that is relevant to the target, making it harder to detect as phishing.
Example:
- Employee Target: The perpetrator sends an email that appears to be from the victim's boss. The email contains a request to make an immediate fund transfer. Because the email looks very official and comes from a trusted boss, the victim is likely to follow the order without suspicion.
- Company Target: The perpetrator sends an email that appears to be from a vendor that frequently works with the target company. The email contains a fake invoice and asks the victim to make an immediate payment.
How Does This Attack Work?
- Research: The attacker researches the target to get relevant information, such as their name, job title, company, and online activity.
- Create an Email: The attacker creates an email that looks very convincing using a company email template, logo, and formal language.
- Send an Email: The email is sent to the target via email or other communication platform.
- Lure the Victim: The attacker lures the victim into clicking a link, opening an attachment, or providing sensitive information.
- Execute: Once the victim has taken the desired action, the attacker can do things like infect the victim's computer with malware, steal login information, or transfer funds.
How to Prevent Social Engineering Attacks
- Beware of Unknown Emails: Never open emails from unknown or suspicious senders.
- Verify the Sender: Always verify the sender's identity before opening a link or attachment.
- Be Careful: Don't be afraid to trust emails that ask you to provide sensitive information or take urgent action.
- Use Security Apps: Use antivirus and firewall apps to protect your devices.
- Conduct Security Training: Conduct regular security training to raise employee awareness of social engineering threats.
Conclusion
Social engineering is a serious threat to cybersecurity. By understanding how these attacks work, you can take steps to protect yourself and your organization.