Social engineering targets human minds to transmute an attackers’ malicious intent into actual cyber attacks.
It plays on your greed, fear, and insecurities to trick you into giving your passwords and other sensitive information. It’s common to get suspicious emails or texts with warnings and limited-time offers, encouraging you to enter confidential details.
You need to be aware and attentive round the clock, especially when you see questionably generous offers and ominous warnings with obscure consequences.
What is social engineering?
In cybersecurity, social engineering is a malicious practice of tricking people into revealing their sensitive information using psychological manipulation. Attackers can converge a social engineering attack in one or more steps while using different techniques.
Every mind is different, and so are its cognitive biases. Social engineering uses various cognitive biases of the human mind to design a suitable attack vector and technique.
Attackers take unfair advantage of these decision-making complexities to make variations in their techniques. It adds up to producing numerous social engineering techniques that exclusively target groups or individuals.
Consequently, it becomes indispensable for you to look for anomalies and social engineering threats constantly. For enterprises, it’s even more important to keep a watchful eye over threats because a single compromised login credential might result in an uncontainable security breach.
It’s advisable to have your defense set with intrusion prevention and detection systems, firewalls, email anti-spam software, and other defense mechanisms. They’d help you detect and contain a social engineering attack when adversities emerge.
Stages of a social engineering attack
Social engineering attack is divided into four phases as follows:
- Research. Gathering information about the victim’s interests, personal and professional life, and similar attributes play a significant role in deciding the attack’s success rate.
- Engage. Attackers initiate a smooth conversation with targets without leaving any gap for doubt or distrust.
- Attack. When targets have been adequately engaged, attackers move to retrieve the information they seek or trick victims into performing an action.
- Closure. Once attackers’ motives are fulfilled, they shut down communication with the victim without fueling any suspicion.
Social engineering techniques and attacks
Social engineering techniques aren’t limited to a specific number, but their underlying concepts unite diverse techniques into unique clusters.
Phishing
Phishing is a common social engineering technique that you come across quite often.
You can observe it in suspicious emails in your inbox or spam folders. These emails carry malicious attachments disguised as genuine files, which can install malware or scareware on your device when downloaded.
30%
of phishing messages get opened by targeted users, and 12% of those users click on the malicious attachment or link.
Source: PurpleSec
In some cases, instead of sending attachments, social engineers use links. These links take you to a malicious website that manipulates you to reveal your sensitive information. Businesses use email anti-spam software to protect users from phishing scams.
Sometimes, fraudsters target a small group instead of conducting a phishing attack at scale. They conduct thorough research on the target group to resonate with their interests and gain their trust. Such types of phishing attacks are called spear phishing.
Spear phishing attacks pose significant threats to organizations as the research behind them helps disguise attackers as genuine employees.
56%
of IT decision-makers say targeted phishing attacks are their top security threat.
Source: PurpleSec
Spear phishing campaigns involve large amounts of reconnaissance.
Attackers use social networking sites like LinkedIn, Twitter, Instagram, and others to gather information about a target. They use personal and professional information to prepare an email that appears genuine but carries an ulterior malicious intent.
Another element of phishing that demands your attention is vishing (or phone call phishing). A perpetrator uses a rogue interactive voice response (IVR) system designed to replicate an original IVR of an institution or bank in a vishing attack.
Attackers send out an email to victims, convincing them to dial a toll-free number that connects them with the rogue IVR. The interactive voice response system guides them to enter user credentials on a malicious webpage, resembling a legitimate one.
Victims enter their passwords multiple times, but the malicious web page rejects them. It tricks victims into disclosing various passwords to the attacker.
When phishing is carried out using a short message service (SMS), it’s commonly called smishing. Attackers lure victims into malicious websites by tricking them to click on a malicious link in a text message. Attackers disguise these messages to replicate courier pickup or delivery alerts, attractive prizes, discounts, or warnings that encourage the recipient to take action.
Sony Pictures became a victim of a social engineering attack in 2014. Cybercriminals sent multiple phishing emails beefed up with malware attachments to gain access to Sony’s network.
Attackers performed covert reconnaissance for a few months. As they got access to the network, they started sending emails with threats to company executives and employees, accessing confidential information and other sensitive data.
Baiting
Baiting envelops all social engineering tactics that lure a target victim with bait.
Usually, this technique uses physical bait but is not limited to it. In digital environments, baits can be delivered by creating malicious advertisements and using similar mediums.
An attacker can deliver a physical bait in the form of an external hard disk, USB, floppy disk, CDs, DVDs, and the likes. You’ll find it in common places accessible to employees. Bad actors mark baits with labels that might interest you the most. For example, it can be an appraisal list, promotions, and similar things.
If anyone in your workplace plugs it into their computer system, it delivers malware to their machine. Enterprises use endpoint protection suites to block the bait in such situations and prevent malware from installing on your desktop or laptop.
In 2016, an interesting study was conducted at the University of Illinois, where researchers dropped 297 USB drives across the campus in a controlled environment.
The results were:
- 290 drives were taken from the drop locations
- 135 drives were inserted into a computer or laptop, and one or more files were opened
- 155 drives showed no signs of opened files. They may or may not have been inserted.
98% of drives being picked up reflects how easy it is to fall for the bait and risk your security unknowingly.
You need to ensure that your workforce is well educated and informed about the social engineering techniques to avoid being its prey.
Continuous learning and awareness imparted through security awareness training software can help you train employees at scale and assess their security readiness.
Pretexting
Pretexting involves crafting fake scenarios to engage victims and persuade them to act according to attackers’ malicious intent. This technique requires an attacker to conduct thorough research on the target and carry out impersonation as closely as possible.
Pretexting is unanimously seen as the first evolution in social engineering. Now, it’s used to trick people into revealing their personally identifiable information or business’ confidential data.
In the first step, attackers try to establish trust with the victim by impersonating police, bank, or similar institutions with an assumable right to know. Pretexters might reap their targets off their sensitive information like bank account number, social security number, credit card details, and several other confidential data.
Reverse social engineering is a typical example of pretexting. Here, attackers don’t contact the victim but manipulate them to get tricked into contacting the attacker.
For example, a poster on a notice board informing the change in the IT service desk’s phone number. In this case, employees will contact the attacker through illegitimate contact details.
Some social engineers use social bots to send friend requests at scale and then employ reverse social engineering techniques. Once attackers identify their potential targets, they leverage victims’ personal data on social media to establish trust and trick them into divulging confidential or sensitive information.
A notable example of pretexting is the Hewlett and Packard scandal. The company hired private investigators to find the source of information leaks and gave them access to their employees’ information. Investigators then called phone companies while impersonating employees to obtain call records.
Water holing
Water holing or (watering hole attack) is a social engineering technique where attackers observe or guess specific websites that organizations use daily. Once they have narrowed down the websites familiar to employees, attackers infect them with trojan or add malicious code.
Consequently, some employees from the target group become victims. When the attacker wants specific information from users, they might attack particular IP addresses.
Did you know?
The term “water holing” was derived from the hunting technique of predators in the real world, who wait near watering holes to attack their prey.
Source: Wikipedia
Preparation of a watering hole attack starts with research. It involves observing and investigating websites that organizations use. The next step is to scan these websites for vulnerabilities and infect them with malware.
Attackers have reportedly used the water holing technique to gain access to high-security systems. It’s because the trap is set in an environment that a victim trusts. People might successfully avoid clicking on a link in an unsolicited email. But they wouldn’t hesitate to follow a link on websites they trust.
A notable example of a watering hole attack is the Holy Water Campaign targeting Asian religious and charitable societies. Attackers tricked victims into updating their Adobe Flash, which triggered the attack.
Tailgating
Tailgating is a social engineering technique where a perpetrator tries to access secure locations by tricking some employees into believing that they are authorized to access their location. For example, to access your office, a perpetrator might ask you to unlock the front door with an identity token or RFID tag tricking you into believing that they forgot their tag at home.
In some cases, they might carry a fake identity card and request you to give them access as the biometric machine isn’t accepting their fingerprint due to some technical fault.
Tailgating generally takes undue advantage of common courtesy.
As a helpful act, an employee might hold the door open for an attacker (disguised as another employee) and forget to ask for identity proof. Sometimes, the perpetrator might present a fake identity proof designed just like the real one, and an authorized person isn’t attentive to the proof’s details.
Want to learn more about Email Anti-spam Software? Explore Email Anti-spam products.
Categories of social engineers
There is a broad range of social engineers who use various techniques to gather sensitive information. We can categorize them into:
- Black hat hackers are people with malicious intent who’re willing to engage in illegal activity to gain unauthorized access to your assets. Black hat hackers use social engineering techniques because humans are easier to hack when compared to network or system vulnerabilities.
- Penetration testers employ multiple tactics to check whether people in an organization are susceptible to divulge confidential and sensitive information.
- Spies use social engineering methods to secretly gather information about an organization or an institution. Their objective is primarily tied to provide strategic or financial benefits to the organization that has employed them.
- Identity thieves steal personally identifiable information (PII) such as your social security number, name, address, email address, etc. This information, when sold on the dark web, offers a financial benefit.
- Data brokers are companies or agencies that gather information on consumers for reselling purposes. There are cases where data brokers are unintentionally tricked into giving away sensitive information to bad actors, something that happened in the ChoicePoint data breach.
- Disgruntled employees or ex-employees might use social engineering techniques to converge an insider threat on an organization. The primary intention is to get some sort of revenge from the organization for not fulfilling their expectations, or it can be to trade inaccessible information in exchange for money.
- Salespeople who contact you to know what systems, or technology you’re currently using, so they can offer their product according to your requirements. There is a possibility that they could be social engineers pretending to be salespeople and are trying to gather sensitive information.
- General people use social engineering techniques more often than they’re aware of. It could be a teenager trying to access their partner’s social account by answering the security questions. There can be various other common life instances of social engineering.
How to detect social engineering threats
Social engineers play on people’s desire to gain satisfaction. Scammers generally masquerade as someone you’d trust or try to earn your trust in the first place.
You need to be attentive and careful when someone you don’t know so well tries to establish trust out of the blue.
You can detect social engineering threats when you keep a watchful eye over:
- Email from a trusted source motivating you to click on an irrelevant link
- Colleague or friend asking for help in the least expected ways, inducing a sense of urgency
- Company email from a known website but with an unusual domain name
- Email from senior leadership or coworker asking you to perform a task at the earliest or reveal specific information
- Donation requests from popular NGOs and charity websites using irregular domain names
- Messages claiming you have won a highly generous reward
- Verification request (OTP, change password, etc.) from products or services you didn’t use recently
- Response to a question you never asked
- Messages creating distrust between coworkers
- People requesting you to get them access to a location
- Messages claiming you have violated a law
- Emails demanding you to pay an amount as a fine for an illegal activity you performed
- Repeated sign-in attempts carried on an unrecognized device
- Authorized users trying to access company or financial information outside their scope
These are some of the actions that might converge as social engineering threats, but not limited to the above. A wide range of social engineering threats prevail in businesses, and detection is the first step toward remediating them.
Whenever you feel something suspicious, remember to take time and ask yourself the following questions:
- Did the message come from a trusted source?
- Is this actually my friend who sent me the message?
- Are my emotions (fear, greed, excitement, curiosity) heightened?
- Does this website appear different from the usual?
- Does this offer sound too good to be true?
- Do these attachments or links appear to be suspicious?
- Can they prove their identity?
How to prevent social engineering attacks
You can prevent social engineering attacks by adopting suitable countermeasures.
Awareness and training
Social engineering attacks happen as a result of lack of attention and naivete. You need to provide proper and regular awareness to your employees to make them well informed about the nature of threats. Paul Kubler, a founding member of CYBRI, says, "Humans need to be trained – they are the weakest link."
“Companies should employ, a bi-annual training geared toward each user group (end-users, IT staff, etc.) so that everyone is aware of the latest attacks.”
Paul Kubler
Red team head and founding member at CYBRI, Source: Digital Guardian
There should be appropriate training provided to protect yourself and respond to different kinds of social engineering techniques. For example, in tailgating, if an attacker masquerading as a coworker requests you to give them access, you should be trained to politely deny their request and help them get in touch with security personnel who can verify their identity. Similarly, you can provide training for all common and evolving social engineering scenarios.
Unified framework
Ensure that your organization has a standard framework for handling sensitive information. Every employee needs to know how to handle information.
You have to keep them well informed when sharing information and make sure they understand what types of information they can communicate internally and externally. Establishing a standard information security framework for managing information allows employees to train themselves with when, why, where, and how sensitive information should be handled.
Preventive protocols, tools, and policies
It’s essential to have the appropriate software to resist social engineering attacks. Although the best defense against social engineering is capacitating human minds to be aware and attentive, software solutions like firewalls and various others help cover up the loose ends that are present even after training programs.
Pierluigi Paganini, a security researcher for InfoSec Institute, advises protecting users’ digital identities from social engineering attacks. Paganini says, “Adopt proper defense systems such as spam filters, anti-virus software, and a firewall, and keep all systems updated.”
Ensure that you have the right arsenal of security solutions, standard protocols, and policies to prevent social engineering attacks in your organization.
Tests and reviews
When you have set all preventive defense systems against social engineering and other cyber attacks, it’s crucial to regularly test and review them. To make sure your workforce is resistant to persuasion attempts, you can hire an external agency to conduct a controlled social engineering attack and find the loopholes in your current setup.
For security systems, leverage penetration testing to test different ways in which a hacker can exploit a vulnerability in your assets if they succeed in identity fraud via social engineering attack. Remediate these vulnerabilities and conduct regular vulnerability scanning to identify if new security weaknesses emerge.
Proper waste disposal
It’s essential to keep your organization’s e-waste or paper waste in dumpsters with locks until adequately disposed of by waste management authorities. Such waste might include used hard drives, defective USBs, or sensitive documents that are no longer required.
This waste can be of no use to you. However, attackers can still use it as an attack vector or to access sensitive information by refurbishing disposed e-waste or reconstructing torn paper documents.
Ensure that your waste dumpsters are behind locked gates or fences, or are visible to employees, so people will notice if anyone tries to trespass.
Engineer your mind
Social engineering attacks are aimed at tricking people into doing something that they wouldn’t normally do. You need to be self-aware and train your minds in areas you act impulsively or anxiously and look out for social engineering attack signs and threats.
Even after adopting proper preventive measures, if an attacker slips through an unknown security gap, here’s an incident response plan that’ll help stay reactive without confusion.
Sagar Joshi
Sagar Joshi is a former content marketing specialist at G2 in India. He is an engineer with a keen interest in data analytics and cybersecurity. He writes about topics related to them. You can find him reading books, learning a new language, or playing pool in his free time.
