Social Engineering and Identity Theft Flashcards

This set covers definitions, techniques, and countermeasures related to Social Engineering and Identity Theft based on the ITE490 lecture notes.

Social Engineering (SE)

The art of convincing people to reveal confidential information, often depending on the fact that people are unaware of their valuable information and are careless about protecting it.

Human-based Social Engineering

A type of social engineering that gathers sensitive information through person-to-person interaction.

Computer-based Social Engineering

Social engineering carried out with the help of computer software that attempts to retrieve desired information.

Mobile-based Social Engineering

Social engineering carried out with the help of mobile applications, such as publishing malicious apps with attractive features.

Impersonation

A common human-based technique where an attacker pretends to be a legitimate or authorized person to trick a target into revealing sensitive information.

Eavesdropping

The unauthorized listening of conversations or reading of messages by intercepting audio, video, or written communication.

Shoulder Surfing

Direct observation techniques, such as looking over someone's shoulder or using binoculars, to obtain information like passwords, PINs, or card numbers.

Dumpster Diving

The act of looking for treasure or valuable sensitive information in someone else's trash.

Reverse Social Engineering

A situation where an attacker presents themselves as an authority (e.g., tech support) so that the target seeks their advice and offers information voluntarily.

Piggybacking

When an authorized person intentionally or unintentionally allows an unauthorized person to pass through a secure door, such as when someone claims to have forgotten their ID badge.

Tailgating

When an unauthorized person wearing a fake ID badge enters a secured area by closely following an authorized person through a door requiring key access.

Pop-up Windows

Windows that suddenly appear while surfing the Internet asking for user login or sign-in information.

Hoax Letters

Emails that issue warnings to the user about new viruses, Trojans, or worms that may harm their system.

Chain Letters

Emails that offer free gifts like money or software on the condition that the user forwards the mail to others.

Spam Email

Irrelevant, unwanted/unsolicited email used to collect financial information, social security numbers, and network information.

Phishing

An illegitimate email falsely claiming to be from a legitimate site that attempts to acquire user personal or account information by redirecting them to fake webpages.

Spear Phishing

A targeted phishing attack directed at specific individuals or a small group in an organization, typically generating a higher response rate than normal phishing.

Insider Attack

A threat from within an organization, such as a disgruntled employee seeking revenge or a competitor's plant spying to steal critical secrets.

Identity Theft

A crime in which an imposter obtains personally identifiable information, such as name, credit card number, or social security number, for fraudulent purposes.

Social-Engineer Toolkit (SET)

An open-source Python-driven tool aimed at penetration testing around social engineering.

Separation and Rotation of Duties

A prevention strategy for insider threats involving the distribution of tasks among different employees to ensure no single person has total control.

Least Privilege

A security principle where users are granted only the minimum levels of access or permissions needed to perform their job functions.

Two-Factor Authentication

A countermeasure that uses a second factor instead of just fixed passwords for high-risk network services like VPNs.

PhishTank

A collaborative clearing house for data and information about phishing on the Internet which provides an open API for developers.

Netcraft

An anti-phishing toolbar used to report phishing sites and identify the risk rating and location of web space.