Social Engineering, in the context of cybersecurity, is the process of tricking people into divulging private information that can be useful in a cyberattack.
There are many different types of social engineering attacks. Some forms of social engineering are convincing emails or text messages infected with links leading to malicious websites. Others involve more effort, like a phone call from a cybercriminal pretending to be tech support requesting confidential information.
Social engineering attacks are popular because they help cybercriminals avoid the arduous effort of locating and exploiting security vulnerabilities to access a network. Instead, manipulated employees essentially hand threat actors the keys to the network
Because they make cyberattacks significantly easier, social engineering attacks are growing in popularity. According to the State of Cybersecurity Survey by ISACA, social engineering was the number one cyber threat responsible for business compromise.
13 Examples of Social Engineering Techniques
Common social engineering attacks include:
A type of social engineering where an attacker leaves a physical device (like a USB) infected with a type of malware where it's most likely to be found. When a victim inserts the USB into their computer, a malware installation process is initiated.
Diversion theft is when social engineers trick a delivery company into sending the package to a different location so that it can be intercepted.
A honey trap is when a con artist poses as an attractive person online with the objective of stealing personally identifiable information (PII), like phone numbers and email account details, from the individuals they interact with.
Phishing attacks gather sensitive information like login credentials, credit card numbers, bank account details by masquerading as a trusted source.
The most common phishing scam is a fake email that seems like it was sent by an authoritative sender.
Here's an example of a phishing email that looks like a legitimate communication from the World Health Organization.
The links in phishing emails are embedded with malicious codes. When clicked, victims are usually directed to a web page that's a replica of the business website the email is claiming to represent. This could be a fake login page to a financial institution or a fake login portal to your intranet.
Some of these fake pages are indistinguishable from their real-world inspirations. When unsuspecting victims submit their information, their credentials are sent to the hacker who then logs into the legitimate website being mirrored in the attack.
Phishing emails often create a sense of urgency to make the victim feel that divulging information quickly is important. Despite not always having a sophisticated design, phishing attacks are one of the most critical cybersecurity risks.
Some spam filters, such as Microsoft's filter, are designed to send potential phishing emails directly to the junk folder. These filters are not always accurate so it's important to always maintain a zero-trust mindset when reviewing receiving emails.
Spear phishing is specifically an email spoofing attack targeting a specific organization or individual. Spear phishing emails aim to infect the victim with ransomware or trick them into revealing sensitive data and sensitive information.
Smishing or SMS phishing is phishing performed over SMS rather than the traditional medium of email.
Pretexting is the process of lying to gain access to personal data or other privileged information. For example, a fraudster may pose as a third-party vendor, saying they need to know your full name and title to verify your identity.
Quid Pro Quo
A quid pro quo is a type of social engineering attack that exploits the human tendency to reciprocate good gestures.
For example, an attacker may provide free technical support over a phone call to a victim and then request that they turn off their antivirus to support an upcoming system update. The victim is then pressured to oblige to reciprocate the generous assistance they were given.
If a victim is very accommodating, cybercriminals will continue using them to advance the cyberattack. Following on from the above example, after turning off all antivirus software the victim could then be asked to install a trojan masking as the "software update", leading to the entire network falling under the cybercriminal's control.
Rogue Security Software
Rogue security software or scareware is fake security software that falsely identifies the presence of malware on a computer. After "detection" the end-user receives a pop-up requesting payment for removal. Pop-ups will continue happening with increasing urgency until payment is made.
Tailgating or piggybacking is when an attacker follows a person into a secure area. This type of attack relies on the person being followed assuming the intruder is authorized to access the targeted area.
Vishing or voice phishing is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype. Vishing paired with voice deep fakes is a massive cybersecurity risk. According to The Wall Street Journal, a vishing attack resulted in the CEO of a UK-based energy firm sending $243,000 to an attacker's bank account because he thought he was on the phone to his boss.
A watering hole attack is when an attacker targets a specific group of people by infecting a website they know and trust. The attack could involve exploiting an outdated SSL certificate, typosquatting, lack of DNSSEC, or domain hijacking.
Whaling is a form of spear phishing targeting high-profile individuals like public company executives, politicians or celebrities. For example, whaling attacks often come in the form of a fake request from the CEO asking the HR department to change their existing payroll details to those set up by the phisher.
4 Examples of Popular Social Engineering Attacks
The Trojan Horse
The most famous social engineering attack comes from an Ancient Greek story of deception. An army of soldiers hid inside a wooden trojan horse that was given as a peace offering to the city of Troy. Troy accepted the gift and that night all the soldier snuck out and conquered the city.
The modern Trojan operates under the same principle. Cybercriminals present seemingly innocuous software solutions, like a virus scanner or software update, that contains a hidden malware installer.
RSA Data Breach
A successful social engineering attack led to the 2011 data breach of RSA. Attackers sent two phishing emails over two days to a group of RSA employees with the subject line of "2011 Recruitment Plan." When opened, an infected Excel document exploited an Adobe Flash vulnerability (CVE-2011-0609).
Target Data Breach
In 2013, Target suffered a massive data breach which started with a third-party vendor falling for a phishing email. The email contained a trojan that helped attackers gain access to Target's POS system, resulting in the theft of 40 million credit card details.
Mispadu: Malvertising for Fake McDonald's Coupons
A bank credential-stealing trojan known as Mispadu was deployed via Facebook ads for fake McDonald's coupons. The ads targeted residents in Brazil and Mexico. When users attempted to access the coupons, a zip file containing the trojan was downloaded and installed on their computer.
Mispadu scans web browsers, email clients, and even the clipboard database for banking credential information. The trojan also attempts to replace existing bitcoin wallets with its own wallet.
12 Ways to Prevent Social Engineering Attacks in 2022
You and your employees will have the best chances of evading social engineering attacks by following these 12 prevention strategies.
1. Educate Employees
Ignorance is the primary reason employees fall victim to Social Engineering attacks. Organizations should implement security awareness training to educate their staff about how to respond to common breach attempts
For example, what to do when private information is requested or when someone attempts to tailgate an employee into the office.
The following list outlines some of the most common cyberattacks. Each link will open a blog post that can be used for cybercrime awareness training in the workplace:
- Phishing attacks
- DDoS attacks
- Ransomware attacks
- Malware attacks
- Clickjacking attacks
- How to respond to tailgating
2. Establish Security Policies
Outline how all employees should respond to social engineering attempts in your information security policy and incident response plan. By ensuring everyone follows the best response practices, you'll have the highest chances of defending against these attacks.
3. Scrutinize All Information
Teach employees to scrutinize every email they receive and every device they plug into their computer. Identifying what information is sensitive and evaluating how it could be exposed during a social engineering attack can help organizations build in countermeasures and mitigate cybersecurity risk.
4. Establish Security Protocols
Establish an information risk management program that has security protocols, policies, and procedures that outline how to handle data security.
5. Test Attack Resilience
Test your organization and perform controlled social engineering attacks against it. Send fake phishing emails and gently correct staff members that click malicious links, open attachments, or respond. These events should be viewed as very teachable moments rather than cybersecurity failure
6. Increase Test Attacks
Just like a vaccination, your organization can become more resistant to social engineering attacks if they are exposed to them frequently, this is why testing multiple times a year is important.
7. Review Response Protocols
Review your countermeasures and training against social engineering attacks over time and improve or discard outdated information.
8. Secure All Waste
Use a secure waste management service so that attackers can't plan attacks by studying information in either physical or digital dumpsters.
9. Use Multi-Factor Authentication
Enforce a multi-factor authentication process that requires users to know something (a password), have something (a token), and be something (biometrics) before access to sensitive resources is granted.
10. Operations Security
OPSEC is a process that identifies friendly actions that could be useful for a potential attacker. If properly analyzed and grouped with other data, OPSEC will reveal critical information or sensitive data. By employing OPSEC practices, you can reduce the amount of information social engineers can gather.
11. Implement a Third-Party Risk Management Framework
It's no longer enough to solely focus on your organization's cyber resilience and cybersecurity, Third-party vendors are increasingly processing large amounts of client personally identifiable information (PII) and protected health information (PHI) which makes them prime targets for social engineers targeting your data.
Develop a third-party risk management framework, vendor management policy and perform a cybersecurity risk assessment before onboarding new vendors or continuing to use existing vendors. It's much easier to prevent data breaches than clean them up, especially after stolen data has been sold on the dark web. Look for software that can automate vendor risk management and continuously monitor and rate your vendors' cybersecurity rating.
12. Detect Data Leaks
It can be hard to know when credentials have been exposed during a phishing attack. Some phishers may wait months or years to use the credentials they collect, which is why your organization should be continuously scanning for data exposures and leaked credentials.
Why Do Cybercriminals Use Social Engineering?
Cybercriminals use social engineering techniques to conceal their true identity and present themselves as trusted sources or individuals. The objective is to influence, manipulate or trick victims into giving up personal information so that it can be used to access a targeted network.
Most social engineering exploits people's willingness to be helpful. For example, the attacker may pose as a co-worker who has an urgent problem, like an overdue invoice that needs to be paid.
Social engineering is an increasingly popular way to subvert information security because it is often easier to exploit human weaknesses than network security or vulnerabilities. This is why social engineering is often used as the first stage of a larger cyber attack designed to infiltrate a system, install malware or expose sensitive data.
How Does Social Engineering Work?
The first step for most social engineering attacks is to gather information on the target.
For example, if the target is an organization, attackers can exploit poor OPSEC practices to gather intelligence on corporate structure, internal operations, industry jargon, third-party vendors. Public-facing information, such as social media profiles, is also targeted.
When cyber attackers are ready to strike their first target is usually a low-level employee who's manipulated to achieve network access. The objective of this step is to avoid contending with firewalls and other security controls located at the network boundary.
Threat actors can rarely instantly exploit sensitive resources when they first gain access to a network. To burrow deeper, they move laterally inside the network in search of higher privilege credentials to compromise. This activity is usually hidden behind legitimate processes to evade antivirus detection.
Social engineering attacks expose sensitive information, like social security numbers or credit card numbers, and lead to data breaches and data leaks of personally identifiable information (PII) and protected health information (PHI).
What are the Six Principles of Influence Abused in Social Engineering?
All social engineering tactics rely on exploiting aspects of human interaction and decision-making known as cognitive biases. Think of biases as vulnerabilities in 'human software' that be exploited, just like CVEs can be exploited to access a private network.
The social engineering framework is based on the six principles of influence outlined by Robert Cialdini, Professor Emeritus of Psychology and Marketing at Arizona State University
People tend to want to return a favor, which explains the pervasiveness of free samples in marketing. A scammer may give the target something for free and then request access to sensitive information.
Social engineering example of reciprocity:
An attacker's demonstration of kindness makes a victim feel compelled to echo the sentiment by complying with sensitive data requests.
2. Commitment and Consistency
If people commit, either vocally or in writing, to a goal or idea, they're more likely to honor the commitment, even if the original motivation is removed.
Social engineering example of commitment and consistency:
An employee follows through with an attacker's request for login credentials because they originally agreed to supply it, even if they understand it shouldn't be done.
3. Social Proof
People tend to do things other people are doing.
Social engineering example of social proof
An attacker provides false evidence that a victim's colleague has collaborated with them recently, compelling the victim to also comply.
People tend to obey authority figures even if asked to do objectionable acts. This is why spear-phishing campaigns that impersonate a CEO and target low-level employees of the same company are usually successful.
Social engineering example of authority
An attacker poses as an authoritative figure, either within the targeted workplace or in society, such as a police officer, lawyer, etc.
People are easily persuaded by people they like. This is why spear phishers often masquerade as a colleague or friends in their campaigns.
Social engineering example of liking
An attack compliments a victim to seem likable.
Perceived scarcity increases demand. This scarcity tactic makes social engineering attacks feel very urgent, and therefore, important.
Social engineering example of scarcity
An attacker presents an urgent need for a set of credentials in order to access internal software and complete an expiring sales call.
4 Examples of Notable Social Engineers
Notable social engineers include:
Based in the United States, Mitnick is a computer security consultant, author, and hacker, best known for his high-profile arrest in 1995 and five-year conviction for various computer and communications-related crimes.
In the video below Kevin describes how he used social engineering to exploit the paper ticketing system of an L.A. bus network at 12 years of age.
During the late 1970s and early 1980s, Susan Headly (or Susan Thunder as she was known) became famous for her expertise in social engineering, pretexting, and psychological subversion.
Learn more about Susan Headley.
Ramy, Muzher and Shaddle Badir, brothers who were all blind from birth, set up an extensive phone and computer fraud scheme in Israel in the 1990s. This operation was comprised of social engineering, vishing, and Braille-display computers.
Learn more about the Badir Brothers.
Frank Abagnale is an American security consultant known for his background as a former con man, check forger, and impostor between the ages of 15 and 21.
His tactics and escapades are depicted in the best-selling novel and movie Catch Me If You Can. This publicity arguably makes Abagnale the world's most famous social engineer.