What is Social Engineering?
Social Engineering, in the context of cybersecurity, is the use of deception to convince individuals into relinquishing their personal information online. This information is then exploited in cyberattacks.
The most difficult phase of a data breach campaign is penetrating an ecosystem. Social Engineering attacks significantly simply this phase because victims are essentially handing threat actors the keys to the internal network.
Because Social Engineering attacks help cyber criminals so much, they’ll continue to be prevalent. Currently, 33% of data breaches are caused by Social Engineering attacks, so by implementing prevention efforts, a third of all data breaches will be avoided.
Social engineering isn't just applicable in a digital context, it can be used in any scenario where specific information is required from a victim for malicious purposes. In the video below, world-famous hacker, Kevin Mitnick, describes how he used social engineering to exploit the paper ticketing system of an L.A. bus network at 12 years of age.
Examples of Social Engineering Techniques
Common social engineering attacks include:
A type of social engineering where an attacker leaves a physical device infected with a type of malware in a place it will be found, e.g. a USB. The victim inserts the USB into their computer and unintentionally infects the computer with malicious software.
Social engineers trick a delivery company into sending the package to a different location and intercept the mail.
A con artist poses as an attractive person online to build up a fake online relationship to make money or gather personally identifiable information (PII) like the victim's phone number and email account.
Phishing attacks gather sensitive information like login credentials, credit card numbers, bank account details by masquerading as a trusted source. A common phishing scam is the use of email spoofing to masquerade as a trusted source like a financial institution to trick the victim into clicking a malicious link or downloading an infected attachment. Phishing emails often create a sense of urgency to make the victim feel that divulging information quickly is important. Despite being a relatively unsophisticated attack, phishing represents one of the largest cybersecurity risks.
Pretexting is lying to gain access to personal data or other privileged information. For example, a fraudster may pose as a third-party vendor, saying they need to know your full name and title to verify your identity.
Quid Pro Quo
A quid pro quo attack uses the human tendency of reciprocity to gain access to information. For example, an attacker may provide free technical support over a phone call to a victim and request that they turn off their anti-virus software or install a trojan that takes control of their operating system.
Rogue Security Ssoftware
Rogue security software or scareware is fake security software that claims malware is on the computer. The end-user receives a pop-up that demands payment for removal. If a payment isn't made, pop-ups will continue but files are generally safe.
Spear phishing is an email spoofing attack targeting a specific organization or individual. Spear phishing emails aim to infect the victim with ransomware or trick them into revealing sensitive data and sensitive information.
Smishing or SMS phishing is phishing performed over SMS rather than the traditional medium of email.
Tailgating or piggybacking is when an attacker follows a person into a secure area. This type of attack relies on the person being followed assuming the person has legitimate access to the area.
Vishing or voice phishing is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype. Vishing paired with voice deep fakes is a massive cybersecurity risk. According to The Wall Street Journal, the CEO of a UK-based energy firm sent $243,000 to an attacker's bank account believing he was on the phone to his boss.
A watering hole attack is when an attacker targets a specific group of people by infecting a website they know and trust, e.g. by exploiting an outdated SSL certificate, typosquatting, lack of DNSSEC or domain hijacking.
Whaling is a form of spear phishing targeting high-profile individuals like public company executives, politicians or celebrities. For example, whaling attacks often come in the form of a fake request from the CEO asking the HR department to change their existing payroll details to those set up by the phisher.
How Does Social Engineering Work?
Social engineers use a wide range of social engineering tactics that rely on the six principles of influence.
That said, the first step for most social engineering attacks is to gather information on the target.
For example, if the target is an organization, attackers can exploit poor OPSEC practices to gather intelligence on corporate structure, internal operations, industry jargon, third-party vendors, and other publicly accessible information listed on social media profiles, online and in person.
In many cases, the first target will be a low-level employee whose login credentials can be used to gain access to internal information that can be used for spear phishing or other more targeted cyber threats.
Social engineering attacks expose sensitive information, like social security numbers or credit card numbers, and lead to data breaches and data leaks of personally identifiable information (PII) and protected health information (PHI).
Why Do Cybercriminals Use Social Engineering?
Cybercriminals use social engineering techniques to conceal their true identity and present themselves as trusted sources or individuals. The objective is to influence, manipulate or trick victims into giving up personal information or gain unauthorized access in an organization.
Most social engineering exploits people's willingness to be helpful. For example, the attacker may pose as a co-worker who has an urgent problem e.g. an overdue invoice.
12 Ways to Prevent Social Engineering Attacks in 2021
Social Engineering attacks can have the best chances of not falling victim to Social Engineering attacks by following these 12 prevention strategies.
1. Educate Employees
Ignorance is the primary reason employees fall victim to Social Engineering attacks. Organizations should educate their staff about how to respond to common breach attempts. For example, what to do when information is requested and when someone attempts to tailgate or when someone attempts to tailgate an employee into the office.
The following list outlines some of the most common cyberattacks. Each link will open a blog post that can be used for cybercrime awareness training in the workplace:
2. Establish Security Policies
Establishing an information security policy that outlines what to do to avoid social engineering and have an incident response plan to react to data breaches and data leaks to reduce the impact of any one social engineering attack.
3. Scrutinize All Information
Teach employees to scrutinize every email they receive and every device they plug into their computer. By identifying what information is sensitive and evaluating how it could be exposed during a social engineering attack can help organizations build in countermeasures and mitigate cybersecurity risk.
4. Establish Security Protocols
5. Test Attack Resilience
6. Increase Test Attacks
Just like a vaccination, your organization can become more resistant to social engineering attacks if they are exposed to them frequently, this is why testing multiple times a year is important.
7. Review Response Protocols
Review your countermeasures and training against social engineering attacks over time and improve or discard outdated information.
8. Secure All Waste
Use a secure waste management service so social engineers can't gather information about your organization from the dumpster and use it to launch spear-phishing or other targeted social engineering campaigns.
9. Use Multi-Factor Authentication
Require users to know something (password), have something (token), and be something (biometrics) in order to make a payment or perform a sensitive action.
10. Operations Security
OPSEC is a process that identifies friendly actions that could be useful for a potential attacker. If properly analyzed and grouped with other data, OPSEC will reveal critical information or sensitive data. By employing OPSEC practices, organizations can reduce the amount of information social engineers can gather.
11. Implement a Third-Party Risk Management Framework
It's no longer enough to solely focus on your organization's cyber resilience and cybersecurity, Third-party vendors are increasingly processing large amounts of personally identifiable information (PII) and protected health information (PHI), which makes them prime targets for social engineers who want access to personal data.
Develop a third-party risk management framework, vendor management policy and perform a cybersecurity risk assessment before onboarding new vendors or continuing to use existing vendors. It's much easier to prevent data breaches than clean them up, especially after stolen data has been sold on the dark web. Look for software that can automate vendor risk management and continuously monitor and rate your vendors' cybersecurity rating.
12. Detect Data Leaks
It can be hard to know when credentials have been exposed during a phishing attack. Some phishers may wait months or years to use the credentials they collect, which is why your organization should be continuously scanning for data exposures and leaked credentials.
What are the Six Principles of Influence Abused in Social Engineering?
All social engineering techniques rely on exploiting aspects of human interaction and decision-making known as cognitive biases. Think of biases as vulnerabilities in human software which can be exploited just like software-based vulnerabilities listed on CVE.
Social engineering relies heavily on Robert Cialdini's, Regents' Professor Emeritus of Psychology and Marketing at Arizona State University and best-selling author, theory of influence based on six principles:
People tend to want to return a favor, which explains the pervasiveness of free samples in marketing. A scammer may give the target something for free and then request access to sensitive information.
Social Engineering example of reciprocity:
An attacker is demonstrating kindness making the victim feel compelled to echo the sentiment by providing sensitive access information.
2. Commitment and Consistency
If people commit, orally or in writing, to a goal or idea, they're more likely to honor the commitment, even if the original motivation is removed.
Social Engineering example of commitment and consistency:
An employee follows through with an attacker's request for login credentials because they originally agreed to supply it, even if they realize it shouldn't be done.
3. Social Proof
People tend to do things other people are doing.
Social Engineering example of social proof:
An attacker provides false evidence that a victim's colleague has collaborated with them recently. This compels the victim to comply.
People tend to obey authority figures even if asked to do objectionable acts. This is why spear-phishing campaigns that use the CEO's name and target low-level employees can be successful.
Social Engineering example of authority:
An attacker poses as an authoritative figure, either within the targeted workplace or in society, for example, police officers, lawyers, etc.
People are easily persuaded by people they like, hence why spear phishers will often masquerade as a colleague or friend in their spear-phishing campaigns.
Social Engineering example of liking
An attack compliments a victim to seem likable.
Perceived scarcity increases demand, hence why social engineers often create a sense of urgency.
Social Engineering example of scarcity:
An attacker gives a compelling reason for urgently requiring a set of credentials.
What are Examples of Social Engineering attacks?
The Trojan Horse
The most famous social engineering attack comes from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy, where soldiers hid in a giant wooden horse presented to the Trojan army as a gift of peace.
RSA Data Breach
A successful social engineering attack led to the 2011 data breach of RSA. Attackers sent two phishing emails over two days to a group of RSA employees with the subject line of "2011 Recruitment Plan" and an infected Excel document that exploited an Adobe Flash vulnerability (CVE-2011-0609).
Target Data Breach
In 2013, Target suffered a massive data breach which started with a third-party vendor falling for a phishing email. The email contained a trojan and enabled the attackers to gain access to Target's POS system that resulted in the theft of 40 million Target customers' credit card details.
Mispadu: Malvertising for Fake McDonald's Coupons
A bank credential stealing trojan known as Mispadu was deployed via Facebook ads for fake McDonald's coupons. The ads targeted residents in Brazil and Mexico. When users attempted to access the coupons, a zip file containing the trojan was downloaded and installed on their computer.
Mispadu scans web browsers, email clients, and even the clipboard data base for banking credential information. The trojan also attempts to replace existing bitcoin wallets with its own wallet.
Examples of Notable Social Engineers
Notable social engineers include:
Based in the United States, Mitnick is a computer security consultant, author, and hacker, best known for his high-profile arrest in 1995 and five-year conviction for various computer and communications-related crimes.
An American hacker who was active during the late 1970s and early 1980s, known for her expertise in social engineering, pretexting, and psychological subversion.
Ramy, Muzher and Shaddle Badir, brothers who were all blind from birth, set up an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, vishing and Braille-display computers.
Frank Abagnale is an American security consultant known for his background as a former con man, check forger, and impostor while he was between the ages of 15 and 21. He may be the world's best known social engineer because of his best-selling book Catch Me If You Can that was adapted into a movie directed by Oscar-winning Steven Spielberg with Abagnale played by Leonardo DiCaprio.
Prevent Social Engineering Data Breaches and Data Leaks With UpGuard
UpGuard integrates a data leak detection engine with Third-Party Risk management, to create the world’s leading attack surface monitoring solution. UpGuard's advanced vulnerability detection capabilities help businesses discover and remediate exposures before they're exploited in social engineering campaigns.
Find out if your website is at risk of being compromised, click here for your free security report now!