When it comes to planning an effective attack, many key factors come in to play such as
Question:
When it comes to planning an effective attack, many key factors come in to play such as a target, for this example our victim is an individual. Our attack is going to be based on information stolen from a mailbox for this scenario the information that was stolen is a bank statement which contains a plethora of information like account numbers, transaction history, account holder name, and the bank that holds the account. For this next step we are going to need the customer support number for that bank, let's say it's bank of America. Locating this number is just a simple google search, now we need the victim's phone number. This can be a little difficult to obtain, a good place to start is social media sometimes people have their pages as public with their phone number, to make this post a little shorter we'll say that the number was on their Facebook.
With this information the attack can now commence, but before the siege begins, we need to create a spoofed VOIP of the customer support number for the bank, this is referred to as caller ID spoofing. Now that we have a spoofed number it's time to call our potential victim and tell them that suspicious activity has been detected on their account. The first part of this conversation is to confirm you have your planed target before you reveal why you called. Next, you need to gain their trust ask them to confirm their account by telling them the account number. This will give them a false sense security buy giving the correct number making the attack sound legitimate.
After that ask them to confirm forms of identification such as social security number, login and password for the account, once the information has been give tell the target "thank you for confirming" then proceed to read off some of the charges in the bank statement that "tripped the algorithm" once they confirm whether the charges are theirs, you want to reassure them that the algorithm has been flagging transaction incorrectly, blame the software for the problem. Apologize for the inconvenience and ask if they need anything before the call is ended, after the call is over the information is your to do with as you will.
1. Review this post and for each Principle example given, provide a recommendation and or countermeasures the intended target should do to minimize the risk of falling for the social engineering attack.
Examples of Performing Social Engineering Attack