What is Social Engineering?
Social engineering is a broad term for several malicious activities conducted through human interaction to access sensitive information. In simpler terms, it’s the process of manipulating individuals into disclosing little pieces of sensitive information over time until an attacker has enough to cause major damage to the individual, or their organization.
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, they may be able to piece together enough information to infiltrate an organization’s network. Suppose an attacker is not able to gather enough information from one source. In that case, they may contact another source within the same organization and rely on the data from the first source to add to their credibility.
How does Social Engineering Work?
A cybercriminal will follow a few simple steps to establish a foothold inside an organization and begin extracting small pieces of information. These pieces are then stitched together to give the attacker everything they need to cause real damage to an organization (or even a single individual).
The dangerous thing about social engineering is that the individual pieces of information seem harmless, but when they are put together, it paints a very detailed and compromising picture of an individual or organization.
Steps to a Successful Social Engineering Attack
- Research: Identify the victim, gather high-level background information and find the best entry point.
- Gain a Foothold: Engage the victim(s), pitch your story, and take control of the interaction.
- Gather Data: This is the longest stage of the process. Continue to leech data from individuals, and expand your foothold to gain new information channels.
- Escape: Remove any evidence, and bring conversations to a seemingly natural end.
- Attack: Leverage the information you’ve gained, activate your tools (ransomware, malware, etc.), and reap the benefits.
Why is this process so effective?
Social engineering relies heavily on The Six Principles of Influence, established by Robert Cialdini. When it comes to preventing social engineering, these six principles can serve as helpful litmus tests to highlight excessive/strong use of these principles.
6 Principles of Influence:
- Consensus/Social Proof
Types of Social Engineering Attacks
Baiting is a social engineering type specializing in piquing a victim’s curiosity. This can be done with physical media (a flash drive left somewhere in public) or virtual media (a free app, exciting ads/offers, or intriguing downloads).
Scareware is a type of social engineering where the victim is bombarded with notifications that their device may be infected. The false alarm then prompts the user to download infected software to “fix” the issue or directs them to a malicious site that infects the device.
Scareware is also referred to as deception software, rogue scanner software, and fraudware. This type of attack can also be distributed via email, loaded with false warnings or offers on discounted (and infected) tools/services.
Pretexting is, in simple terms, a well-crafted lie. An attacker will first build rapport with the victim and establish some kind of authority. Unfortunately, most of us are programmed to give sensitive information to those who have “right-to-know authority” without asking many questions.
An attacker will establish their “authority” and then start to ask questions to gather sensitive information. These questions typically come with the pretext of “I need this information to perform ‘X’ task.”
One of the most common types of social engineering is that phishing uses emails and texts to create a sense of urgency, curiosity, or fear in the victim. This altered state of mind can result in the victim entering vital information (such as login details) without verifying the source.
Some common phishing prompts are:
- Your flight has been delayed, click to view details.
- Your card was successfully charged for $$$, click to view your receipt.
- Click here to verify your account.
- Win big $$$ with by filling out this short survey!
Spear phishing is a more personalized approach to a phishing attack. It requires much more research and planning from the attacker, but can result in a much higher success rate. In a spear phishing scam, an attacker may assume the name of a manager or someone in the C-Suite and reach out to you directly. They could also pose as an employee and email a malicious link to their team.
Some common spear phishing prompts are:
- Hey, [victim], it’s [CEO]. I’m in a closed-door meeting right now, so I can’t talk on the phone. I need you to run to the store and buy a handful of Amazon gift cards.
- Hey, Team, it’s [team member], I found this hilarious kitten video and figured I’d send it to everyone!
Pro Tip: When using text messaging, attackers may break up these messages and start with something smaller like “Hey, it’s [CEO],” They are waiting for your response to keep the scam going. The principle they are using here is “Small Commitments,” a common idea used in sales, where making your target make small commitments can lead to a much smoother transition into a big commitment. (or, in the case of a scam like this, a big mistake)
Water holing is a targeted social engineering strategy that leverages users’ trust in websites they use often. A victim may avoid clicking links in an unsolicited email but wouldn’t hesitate to click a link on a website they visit often.
In this scenario, an attacker would research to find some frequently used websites by their target, test those sites for vulnerabilities, and then inject code that can infect a visitor’s system.
Quid Pro Quo
Quid pro quo: something for something
Example: An attacker will call individuals inside an organization claiming to be responding in support of a tech issue. Eventually, the attacker will land on a victim inside the organization that is actually having tech issues. They will then have the victim do harmful acts like providing sensitive information, downloading malicious software/apps, or visiting harmful sites to “fix” the problem.
Tailgating is very different from the other forms of social engineering because it takes place in person. Tailgating is when an attacker seeking entry into a restricted area (typically secured with RFID locks) simply walks in behind a person with legitimate access. The attacker may even go so far as to ask them to hold the door for them to sell further their right to access the area.
How to Prevent Social Engineering
Primary Tip: Keep calm, slow down, and stay suspicious. Regardless of the “crisis,” no extra harm will come from taking seconds to inspect the message, its source, and its intention.
- If you Don’t Know, Don’t Open it. If you get an email from an unknown/suspicious source, do not open the attachments or click on links inside the email. For an in-depth guide on how to read URLs and prevent phishing scams, check out our article here!
- Too Good to be True. These may seem obvious, but the goal of these offers is to find the right person, at the right time, with the right message. What seems evident to you may not be so obvious to others; the opposite is true.
- Keep Software Updated. Keep your application software versions, antivirus software, and other tools up to date. Often, a “Version Update 1.2.03” responds to a recently found vulnerability by the provider. If you’re ever unsure, reach out to your IT department.
- Multifactor Authentication (MFA). Enabling MFA is one of the most effective, important, and simple ways to help secure your accounts. This is an absolute necessity in today’s digital world.
- Train Your Staff. Every organization should have robust, frequent training and testing of their entire staff on cybersecurity, best practices for prevention, and communication guidelines in case of a breach.
It’s vital to remember that social engineering’s success hinges on human emotion. Making you feel trapped, rushed, or scared can get you to take action quickly and without thinking. It’s crucial to pay attention to the context of any situation where something is being asked of you by someone you don’t know. Even if they appear to hold some level of authority, there’s nothing wrong with taking a moment to verify or get a second opinion before proceeding. Stay cool, calm, collected… and suspicious!