Ryan Huy Nguyen
1st Prize Winner: $200
ABF Honor Award, 2021 ($1,000 + Laptop), Troy High School, Fullerton Unified School District, Orange County
Currently enrolled at the University of California - Irvine: Civil Engineering
How Do The Hackers Target The End-Users?
In the cybersecurity industry, the professionals are trained to combat online attackers by implementing countermeasures to protect online users, from patching old and unsanitary code in programs to limiting privileges on important servers and computer systems. Despite their work, they are not able to protect everyone, as there is another factor in play that is an attack vector: human nature.
The concept of social engineering describes the range of techniques that online attackers use to extract sensitive information from those who they choose to target. In essence, these attacks aim to use human language to manipulate people to think that they are conversing with an authoritative or personal figure online in order to persuade the targets to expose themselves to them. The most common type of social engineering attack is called phishing. The idea of phishing is that the attacker targets a certain person to interact with them and persuade them to give their information to them.
In my experience, I often get phishing attacks from my SMS messages or emails. I will sometimes get messages about the IRS having to come for me for my tax returns or selling my car to someone at an unknown address. The way that I can tell that these messages are social engineering attacks is that I don't associate myself with such matters and know that I don't have any concern with any of those matters. Then, I remove the messages and block the senders on my phone or email so that I don't see them anymore. I have seen more sophisticated attacks, asking for my personal information to apply for scholarships or telling me that I had won an item like an iPad from some sweepstakes I supposedly entered. In this case, I thought about what scholarships I applied for and knew that I didn't apply for any of the scholarships they mentioned and the sweepstakes that I supposedly entered, so like the other messages, I blocked the senders. Some of the messages had links to websites, but by looking at the links, I was able to tell that the websites were malicious.
The most convincing attack that I have seen by far comes from an email that I received from a self-proclaimed scholarship organization. The organization told me that I was selected to be part of their program, and they told me to enter my personal information into their website to pay for a monthly subscription to the program so that I can receive its benefits. They gave me the link to their website, and I used site checkers to check the validity of the link, and the site checkers did not see any viruses. The website was well made, and it seemed legitimate. However, looking at what scholarships I applied for, I understood that this scholarship organization was not one of those organizations I applied to, so I removed their message and reported them as spam on my email.
For those that are Internet users, there are several aspects to consider when looking at messages on the Internet. First, check the credibility of the senders. Look at the email address of the sender or the name of the organization the sender poses as, and if it is a name that you may not know and trust or the address does not look legitimate, ignore or block their message. Understand the situation that you are in and what online actions you made recently to make more informed decisions on continuing to read and take action on a message. If you are given a link in the message, check that it has a ".com," ".org," ".gov," or ".edu" in its address, otherwise it may be an untrusted website source. In addition, check the minor details of the message such as whether or not it has formal grammar and spelling, as they can be indicators that the message sender is from a foreign country.
Now, even though you know now about how to protect yourself online from social engineering attacks, there are still an unprecedented and growing number of individuals online that do not know about these techniques to prevent themselves from the attacks. For businesses, this is a major issue, as there are several people who work in those businesses and can be attacked vectors for those who want to infiltrate the companies and harm and harm their production. So, the best way to implement countermeasures to these attacks is to use end-user education. End-user education is the process of informing people who use a certain product about the dangers of using the said product and how to mitigate and prevent such dangers from affecting them. In the cybersecurity aspect, the product, in this case, is the Internet, so Internet users will have to be informed about how to protect themselves from social engineering attacks. Organizations can create newsletters and information sessions for those who may not know about social engineering to better inform them, and businesses can create information sessions for their employees so that they are better prepared in social engineering situations. At the local level, there are many efforts that can be done to inform the people around you. When I was a part of my cybersecurity program in high school, I taught young adults and children as young as kindergarteners about how they can determine whether or not someone is dangerous to them or their parents online, helping them to protect themselves and the people they know from phishing attacks. At my current university, there is a week reserved for learning cybersecurity, and in that week they host information sessions about how they can protect themselves from these attacks.
In the end, the safety of the Internet users depends on the knowledge of the Internet users themselves. In order to mitigate and stop the social engineering efforts, people have to inform each other of how to best conduct themselves on the Internet, from checking the sources that they visit changing their passwords. With collective efforts, the Internet will become a safer place for all.
Works Cited
Phishing & content protection: Endpoint security. Lookout. (n.d.). Retrieved February 7, 2022, from https://www.lookout.com/products/endpoint-security/phishing-and-content-protection